├── .github └── workflows │ ├── go.yml │ ├── golangci-lint.yml │ ├── integration.yml │ ├── release.yml │ ├── testdata-lint.yml │ └── tld-update.yml ├── .gitignore ├── .golangci.yaml ├── CONTRIBUTING.md ├── LICENSE ├── README.md └── v3 ├── .goreleaser.yml ├── benchmarks_test.go ├── cmd ├── genTestCerts │ ├── genTestCerts.go │ ├── gen_test.go │ ├── go.mod │ └── go.sum ├── gen_test_crl │ ├── gen_test_crl.go │ ├── go.mod │ └── go.sum ├── zlint-gtld-update │ └── main.go └── zlint │ ├── config.toml │ └── main.go ├── formattedoutput └── formattedOutput.go ├── go.mod ├── go.sum ├── integration ├── README.md ├── certByFP.sh ├── config.go ├── config.json ├── corpus_test.go ├── csv.go ├── integration_test.go ├── lints │ ├── README.md │ ├── filters │ │ ├── files.go │ │ └── nodes.go │ ├── lint │ │ └── lint.go │ ├── lints │ │ ├── init_first.go │ │ ├── init_first_test.go │ │ ├── not_committing_genTestCerts.go │ │ ├── register_lint_deprecated.go │ │ ├── register_lint_deprecated_test.go │ │ └── testdata │ │ │ ├── lint_initializeFirst.go │ │ │ ├── lint_initializeFirstNoFunctions.go │ │ │ ├── lint_initializeNotFirst.go │ │ │ ├── lint_usesRegisterCertificateLint.go │ │ │ ├── lint_usesRegisterLint.go │ │ │ ├── lint_usesRegisterProfile.go │ │ │ └── lint_usesRegisterRevocationListLint.go │ ├── main.go │ ├── main_test.go │ └── testdata │ │ ├── lint_initFirst.go │ │ ├── lint_initializeFirstNoFunctions.go │ │ └── notAGolangFile.sh ├── main_test.go ├── package.go ├── result.go └── small.config.json ├── lint ├── base.go ├── base_test.go ├── configuration.go ├── configuration_test.go ├── global_configurations.go ├── lint_lookup.go ├── profile.go ├── registration.go ├── registration_test.go ├── result.go ├── result_test.go ├── source.go └── source_test.go ├── lints ├── apple │ ├── lint_ct_sct_policy_count_unsatisfied.go │ ├── lint_ct_sct_policy_count_unsatisfied_test.go │ ├── lint_e_server_cert_valid_time_longer_than_398_days.go │ ├── lint_e_server_cert_valid_time_longer_than_398_days_test.go │ ├── lint_w_server_cert_valid_time_longer_than_397_days.go │ ├── lint_w_server_cert_valid_time_longer_than_397_days_test.go │ └── time.go ├── cabf_br │ ├── lint_aia_ca_issuers_must_have_http_only.go │ ├── lint_aia_ca_issuers_must_have_http_only_test.go │ ├── lint_aia_must_contain_permitted_access_method.go │ ├── lint_aia_must_contain_permitted_access_method_test.go │ ├── lint_aia_ocsp_must_have_http_only.go │ ├── lint_aia_ocsp_must_have_http_only_test.go │ ├── lint_aia_unique_locations.go │ ├── lint_aia_unique_locations_test.go │ ├── lint_ca_common_name_missing.go │ ├── lint_ca_common_name_missing_test.go │ ├── lint_ca_country_name_invalid.go │ ├── lint_ca_country_name_invalid_test.go │ ├── lint_ca_country_name_missing.go │ ├── lint_ca_country_name_missing_test.go │ ├── lint_ca_crl_sign_not_set.go │ ├── lint_ca_crl_sign_not_set_test.go │ ├── lint_ca_digital_signature_not_set.go │ ├── lint_ca_digital_signature_not_set_test.go │ ├── lint_ca_invalid_eku.go │ ├── lint_ca_invalid_eku_test.go │ ├── lint_ca_is_ca.go │ ├── lint_ca_is_ca_test.go │ ├── lint_ca_key_cert_sign_not_set.go │ ├── lint_ca_key_cert_sign_not_set_test.go │ ├── lint_ca_key_usage_missing.go │ ├── lint_ca_key_usage_missing_test.go │ ├── lint_ca_key_usage_not_critical.go │ ├── lint_ca_key_usage_not_critical_test.go │ ├── lint_ca_organization_name_missing.go │ ├── lint_ca_organization_name_missing_test.go │ ├── lint_cab_dv_conflicts_with_locality.go │ ├── lint_cab_dv_conflicts_with_locality_test.go │ ├── lint_cab_dv_conflicts_with_org.go │ ├── lint_cab_dv_conflicts_with_org_test.go │ ├── lint_cab_dv_conflicts_with_postal.go │ ├── lint_cab_dv_conflicts_with_postal_test.go │ ├── lint_cab_dv_conflicts_with_province.go │ ├── lint_cab_dv_conflicts_with_province_test.go │ ├── lint_cab_dv_conflicts_with_street.go │ ├── lint_cab_dv_conflicts_with_street_test.go │ ├── lint_cab_dv_subject_invalid_values.go │ ├── lint_cab_dv_subject_invalid_values_test.go │ ├── lint_cab_iv_requires_personal_name.go │ ├── lint_cab_iv_requires_personal_name_test.go │ ├── lint_cab_ov_requires_org.go │ ├── lint_cab_ov_requires_org_test.go │ ├── lint_cabf_crl_reason_code_not_critical.go │ ├── lint_cabf_crl_reason_code_not_critical_test.go │ ├── lint_cabf_crl_valid_reason_codes.go │ ├── lint_cabf_crl_valid_reason_codes_test.go │ ├── lint_cert_policy_iv_requires_country.go │ ├── lint_cert_policy_iv_requires_country_test.go │ ├── lint_cert_policy_iv_requires_province_or_locality.go │ ├── lint_cert_policy_iv_requires_province_or_locality_test.go │ ├── lint_cert_policy_ov_requires_country.go │ ├── lint_cert_policy_ov_requires_country_test.go │ ├── lint_cert_policy_ov_requires_province_or_locality.go │ ├── lint_cert_policy_ov_requires_province_or_locality_test.go │ ├── lint_crl_distrib_points_not_http.go │ ├── lint_crl_distrib_points_not_http_test.go │ ├── lint_crl_next_update_invalid.go │ ├── lint_crl_next_update_invalid_test.go │ ├── lint_crlissuer_must_not_be_present_in_cdp.go │ ├── lint_crlissuer_must_not_be_present_in_cdp_test.go │ ├── lint_dh_params_missing.go │ ├── lint_dnsname_bad_character_in_label.go │ ├── lint_dnsname_bad_character_in_label_test.go │ ├── lint_dnsname_check_left_label_wildcard.go │ ├── lint_dnsname_check_left_label_wildcard_test.go │ ├── lint_dnsname_contains_bare_iana_suffix.go │ ├── lint_dnsname_contains_bare_iana_suffix_test.go │ ├── lint_dnsname_contains_empty_label.go │ ├── lint_dnsname_contains_empty_label_test.go │ ├── lint_dnsname_contains_prohibited_reserved_label.go │ ├── lint_dnsname_contains_prohibited_reserved_label_test.go │ ├── lint_dnsname_hyphen_in_sld.go │ ├── lint_dnsname_hyphen_in_sld_test.go │ ├── lint_dnsname_label_too_long.go │ ├── lint_dnsname_label_too_long_test.go │ ├── lint_dnsname_right_label_valid_tld.go │ ├── lint_dnsname_right_label_valid_tld_test.go │ ├── lint_dnsname_underscore_in_sld.go │ ├── lint_dnsname_underscore_in_sld_test.go │ ├── lint_dnsname_underscore_in_trd.go │ ├── lint_dnsname_underscore_in_trd_test.go │ ├── lint_dnsname_wildcard_left_of_public_suffix.go │ ├── lint_dnsname_wildcard_left_of_public_suffix_test.go │ ├── lint_dnsname_wildcard_only_in_left_label.go │ ├── lint_dnsname_wildcard_only_in_left_label_test.go │ ├── lint_dsa_correct_order_in_subgroup.go │ ├── lint_dsa_correct_order_in_subgroup_test.go │ ├── lint_dsa_improper_modulus_or_divisor_size.go │ ├── lint_dsa_improper_modulus_or_divisor_size_test.go │ ├── lint_dsa_shorter_than_2048_bits.go │ ├── lint_dsa_shorter_than_2048_bits_test.go │ ├── lint_dsa_unique_correct_representation.go │ ├── lint_dsa_unique_correct_representation_test.go │ ├── lint_duplicate_subject_attribs.go │ ├── lint_duplicate_subject_attribs_test.go │ ├── lint_e_invalid_cps_uri.go │ ├── lint_e_invalid_cps_uri_test.go │ ├── lint_e_server_cert_valid_time_longer_than_100_days.go │ ├── lint_e_server_cert_valid_time_longer_than_100_days_test.go │ ├── lint_e_server_cert_valid_time_longer_than_200_days.go │ ├── lint_e_server_cert_valid_time_longer_than_200_days_test.go │ ├── lint_e_server_cert_valid_time_longer_than_47_days.go │ ├── lint_e_server_cert_valid_time_longer_than_47_days_test.go │ ├── lint_e_sub_ca_aia_missing.go │ ├── lint_e_sub_ca_aia_missing_test.go │ ├── lint_ec_improper_curves.go │ ├── lint_ec_improper_curves_test.go │ ├── lint_eku_critical.go │ ├── lint_eku_critical_test.go │ ├── lint_ext_nc_intersects_reserved_ip.go │ ├── lint_ext_nc_intersects_reserved_ip_test.go │ ├── lint_ext_san_contains_reserved_ip.go │ ├── lint_ext_san_contains_reserved_ip_test.go │ ├── lint_ext_san_critical_with_subject_dn.go │ ├── lint_ext_san_critical_with_subject_dn_test.go │ ├── lint_ext_san_directory_name_present.go │ ├── lint_ext_san_directory_name_present_test.go │ ├── lint_ext_san_edi_party_name_present.go │ ├── lint_ext_san_edi_party_name_present_test.go │ ├── lint_ext_san_missing.go │ ├── lint_ext_san_missing_test.go │ ├── lint_ext_san_other_name_present.go │ ├── lint_ext_san_other_name_present_test.go │ ├── lint_ext_san_registered_id_present.go │ ├── lint_ext_san_registered_id_present_test.go │ ├── lint_ext_san_rfc822_name_present.go │ ├── lint_ext_san_rfc822_name_present_test.go │ ├── lint_ext_san_uniform_resource_identifier_present.go │ ├── lint_ext_san_uniform_resource_identifier_present_test.go │ ├── lint_ext_subject_key_identifier_not_recommended_subscriber.go │ ├── lint_ext_subject_key_identifier_not_recommended_subscriber_test.go │ ├── lint_ext_tor_service_descriptor_hash_invalid.go │ ├── lint_ext_tor_service_descriptor_hash_invalid_test.go │ ├── lint_extra_subject_common_names.go │ ├── lint_extra_subject_common_names_test.go │ ├── lint_invalid_ca_certificate_policies.go │ ├── lint_invalid_ca_certificate_policies_test.go │ ├── lint_invalid_certificate_version.go │ ├── lint_invalid_certificate_version_test.go │ ├── lint_invalid_subject_rdn_order.go │ ├── lint_invalid_subject_rdn_order_test.go │ ├── lint_no_underscores_before_1_6_2.go │ ├── lint_no_underscores_before_1_6_2_test.go │ ├── lint_ocsp_id_pkix_ocsp_nocheck_ext_not_included_server_auth.go │ ├── lint_ocsp_id_pkix_ocsp_nocheck_ext_not_included_server_auth_test.go │ ├── lint_old_root_ca_rsa_mod_less_than_2048_bits.go │ ├── lint_old_root_ca_rsa_mod_less_than_2048_bits_test.go │ ├── lint_old_sub_ca_rsa_mod_less_than_1024_bits.go │ ├── lint_old_sub_ca_rsa_mod_less_than_1024_bits_test.go │ ├── lint_old_sub_cert_rsa_mod_less_than_1024_bits.go │ ├── lint_old_sub_cert_rsa_mod_less_than_1024_bits_test.go │ ├── lint_organizational_unit_name_prohibited.go │ ├── lint_organizational_unit_name_prohibited_test.go │ ├── lint_policy_qualifiers_other_than_cps_not_permitted.go │ ├── lint_policy_qualifiers_other_than_cps_not_permitted_test.go │ ├── lint_prohibit_dsa_usage.go │ ├── lint_prohibit_dsa_usage_test.go │ ├── lint_public_key_type_not_allowed.go │ ├── lint_public_key_type_not_allowed_test.go │ ├── lint_root_ca_basic_constraints_path_len_constraint_field_present.go │ ├── lint_root_ca_basic_constraints_path_len_constraint_field_present_test.go │ ├── lint_root_ca_contains_cert_policy.go │ ├── lint_root_ca_contains_cert_policy_test.go │ ├── lint_root_ca_extended_key_usage_present.go │ ├── lint_root_ca_extended_key_usage_present_test.go │ ├── lint_root_ca_key_usage_must_be_critical.go │ ├── lint_root_ca_key_usage_must_be_critical_test.go │ ├── lint_root_ca_key_usage_present.go │ ├── lint_root_ca_key_usage_present_test.go │ ├── lint_rsa_mod_factors_smaller_than_752_bits.go │ ├── lint_rsa_mod_factors_smaller_than_752_bits_test.go │ ├── lint_rsa_mod_less_than_2048_bits.go │ ├── lint_rsa_mod_less_than_2048_bits_test.go │ ├── lint_rsa_mod_not_odd.go │ ├── lint_rsa_mod_not_odd_test.go │ ├── lint_rsa_public_exponent_not_in_range.go │ ├── lint_rsa_public_exponent_not_in_range_test.go │ ├── lint_rsa_public_exponent_not_odd.go │ ├── lint_rsa_public_exponent_not_odd_test.go │ ├── lint_rsa_public_exponent_too_small.go │ ├── lint_rsa_public_exponent_too_small_test.go │ ├── lint_san_dns_name_onion_invalid.go │ ├── lint_san_dns_name_onion_invalid_test.go │ ├── lint_san_dns_name_onion_not_ev_cert.go │ ├── lint_san_dns_name_onion_not_ev_cert_test.go │ ├── lint_signature_algorithm_not_supported.go │ ├── lint_signature_algorithm_not_supported_test.go │ ├── lint_sub_ca_aia_does_not_contain_issuing_ca_url.go │ ├── lint_sub_ca_aia_does_not_contain_issuing_ca_url_test.go │ ├── lint_sub_ca_aia_marked_critical.go │ ├── lint_sub_ca_aia_marked_critical_test.go │ ├── lint_sub_ca_certificate_policies_marked_critical.go │ ├── lint_sub_ca_certificate_policies_marked_critical_test.go │ ├── lint_sub_ca_certificate_policies_missing.go │ ├── lint_sub_ca_certificate_policies_missing_test.go │ ├── lint_sub_ca_crl_distribution_points_does_not_contain_url.go │ ├── lint_sub_ca_crl_distribution_points_does_not_contain_url_test.go │ ├── lint_sub_ca_crl_distribution_points_marked_critical.go │ ├── lint_sub_ca_crl_distribution_points_marked_critical_test.go │ ├── lint_sub_ca_crl_distribution_points_missing.go │ ├── lint_sub_ca_crl_distribution_points_missing_test.go │ ├── lint_sub_ca_eku_critical.go │ ├── lint_sub_ca_eku_critical_test.go │ ├── lint_sub_ca_eku_missing.go │ ├── lint_sub_ca_eku_missing_test.go │ ├── lint_sub_ca_eku_valid_fields.go │ ├── lint_sub_ca_eku_valid_fields_test.go │ ├── lint_sub_ca_name_constraints_not_critical.go │ ├── lint_sub_ca_name_constraints_not_critical_test.go │ ├── lint_sub_cert_aia_contains_internal_names.go │ ├── lint_sub_cert_aia_contains_internal_names_test.go │ ├── lint_sub_cert_aia_does_not_contain_issuing_ca_url.go │ ├── lint_sub_cert_aia_does_not_contain_issuing_ca_url_test.go │ ├── lint_sub_cert_aia_does_not_contain_ocsp_url.go │ ├── lint_sub_cert_aia_does_not_contain_ocsp_url_test.go │ ├── lint_sub_cert_aia_marked_critical.go │ ├── lint_sub_cert_aia_marked_critical_test.go │ ├── lint_sub_cert_aia_missing.go │ ├── lint_sub_cert_aia_missing_test.go │ ├── lint_sub_cert_basic_constraints_not_critical.go │ ├── lint_sub_cert_basic_constraints_not_critical_test.go │ ├── lint_sub_cert_cert_policy_empty.go │ ├── lint_sub_cert_cert_policy_empty_test.go │ ├── lint_sub_cert_certificate_policies_marked_critical.go │ ├── lint_sub_cert_certificate_policies_marked_critical_test.go │ ├── lint_sub_cert_certificate_policies_missing.go │ ├── lint_sub_cert_certificate_policies_missing_test.go │ ├── lint_sub_cert_country_name_must_appear.go │ ├── lint_sub_cert_country_name_must_appear_test.go │ ├── lint_sub_cert_crl_distribution_points_does_not_contain_url.go │ ├── lint_sub_cert_crl_distribution_points_does_not_contain_url_test.go │ ├── lint_sub_cert_crl_distribution_points_marked_critical.go │ ├── lint_sub_cert_crl_distribution_points_marked_critical_test.go │ ├── lint_sub_cert_eku_check.go │ ├── lint_sub_cert_eku_check_test.go │ ├── lint_sub_cert_eku_extra_values.go │ ├── lint_sub_cert_eku_extra_values_test.go │ ├── lint_sub_cert_eku_missing.go │ ├── lint_sub_cert_eku_missing_test.go │ ├── lint_sub_cert_eku_server_auth_client_auth_missing.go │ ├── lint_sub_cert_eku_server_auth_client_auth_missing_test.go │ ├── lint_sub_cert_gn_sn_contains_policy.go │ ├── lint_sub_cert_gn_sn_contains_policy_test.go │ ├── lint_sub_cert_is_ca.go │ ├── lint_sub_cert_is_ca_test.go │ ├── lint_sub_cert_key_usage_cert_sign_bit_set.go │ ├── lint_sub_cert_key_usage_cert_sign_bit_set_test.go │ ├── lint_sub_cert_key_usage_crl_sign_bit_set.go │ ├── lint_sub_cert_key_usage_crl_sign_bit_set_test.go │ ├── lint_sub_cert_locality_name_must_appear.go │ ├── lint_sub_cert_locality_name_must_appear_test.go │ ├── lint_sub_cert_locality_name_must_not_appear.go │ ├── lint_sub_cert_locality_name_must_not_appear_test.go │ ├── lint_sub_cert_or_sub_ca_using_sha1.go │ ├── lint_sub_cert_or_sub_ca_using_sha1_test.go │ ├── lint_sub_cert_postal_code_prohibited.go │ ├── lint_sub_cert_postal_code_prohibited_test.go │ ├── lint_sub_cert_province_must_appear.go │ ├── lint_sub_cert_province_must_appear_test.go │ ├── lint_sub_cert_province_must_not_appear.go │ ├── lint_sub_cert_province_must_not_appear_test.go │ ├── lint_sub_cert_sha1_expiration_too_long.go │ ├── lint_sub_cert_sha1_expiration_too_long_test.go │ ├── lint_sub_cert_street_address_should_not_exist.go │ ├── lint_sub_cert_street_address_should_not_exist_test.go │ ├── lint_sub_cert_valid_time_longer_than_39_months.go │ ├── lint_sub_cert_valid_time_longer_than_39_months_test.go │ ├── lint_sub_cert_valid_time_longer_than_825_days.go │ ├── lint_sub_cert_valid_time_longer_than_825_days_test.go │ ├── lint_subj_orgunit_in_ca_cert.go │ ├── lint_subj_orgunit_in_ca_cert_test.go │ ├── lint_subject_common_name_included.go │ ├── lint_subject_common_name_included_sc62.go │ ├── lint_subject_common_name_included_sc62_test.go │ ├── lint_subject_common_name_included_test.go │ ├── lint_subject_common_name_not_exactly_from_san.go │ ├── lint_subject_common_name_not_exactly_from_san_test.go │ ├── lint_subject_common_name_not_from_san.go │ ├── lint_subject_common_name_not_from_san_test.go │ ├── lint_subject_contains_malformed_arpa_ip.go │ ├── lint_subject_contains_malformed_arpa_ip_test.go │ ├── lint_subject_contains_noninformational_value.go │ ├── lint_subject_contains_noninformational_value_test.go │ ├── lint_subject_contains_organizational_unit_name_and_no_organization_name.go │ ├── lint_subject_contains_organizational_unit_name_and_no_organization_name_test.go │ ├── lint_subject_contains_reserved_arpa_ip.go │ ├── lint_subject_contains_reserved_arpa_ip_test.go │ ├── lint_subject_contains_reserved_ip.go │ ├── lint_subject_contains_reserved_ip_test.go │ ├── lint_subject_country_not_iso.go │ ├── lint_subject_country_not_iso_test.go │ ├── lint_subject_public_key_info_improper_algorithm_object_identifier_encoding.go │ ├── lint_subject_public_key_info_improper_algorithm_object_identifier_encoding_test.go │ ├── lint_subject_rdns_correct_encoding.go │ ├── lint_subject_rdns_correct_encoding_test.go │ ├── lint_underscore_not_permissible_in_dnsname.go │ ├── lint_underscore_not_permissible_in_dnsname_test.go │ ├── lint_underscore_permissible_in_dnsname_if_valid_when_replaced.go │ ├── lint_underscore_permissible_in_dnsname_if_valid_when_replaced_test.go │ ├── lint_underscore_present_with_too_long_validity.go │ ├── lint_underscore_present_with_too_long_validity_test.go │ ├── lint_w_server_cert_valid_time_longer_than_199_days.go │ ├── lint_w_server_cert_valid_time_longer_than_199_days_test.go │ ├── lint_w_server_cert_valid_time_longer_than_46_days.go │ ├── lint_w_server_cert_valid_time_longer_than_46_days_test.go │ ├── lint_w_server_cert_valid_time_longer_than_99_days.go │ ├── lint_w_server_cert_valid_time_longer_than_99_days_test.go │ ├── lint_w_sub_ca_aia_missing.go │ └── lint_w_sub_ca_aia_missing_test.go ├── cabf_cs_br │ ├── lint_cs_crl_distribution_points.go │ ├── lint_cs_crl_distribution_points_test.go │ ├── lint_cs_eku_required.go │ ├── lint_cs_eku_required_test.go │ ├── lint_cs_key_usage_required.go │ ├── lint_cs_key_usage_required_test.go │ ├── lint_cs_rsa_key_size.go │ └── lint_cs_rsa_key_size_test.go ├── cabf_ev │ ├── lint_cabf_org_identifier_psd_vat_has_state.go │ ├── lint_cabf_org_identifier_psd_vat_has_state_test.go │ ├── lint_ev_business_category_missing.go │ ├── lint_ev_business_category_missing_test.go │ ├── lint_ev_country_name_missing.go │ ├── lint_ev_country_name_missing_test.go │ ├── lint_ev_invalid_business_category.go │ ├── lint_ev_invalid_business_category_test.go │ ├── lint_ev_not_wildcard.go │ ├── lint_ev_not_wildcard_test.go │ ├── lint_ev_organization_id_missing.go │ ├── lint_ev_organization_id_missing_test.go │ ├── lint_ev_organization_name_missing.go │ ├── lint_ev_organization_name_missing_test.go │ ├── lint_ev_orgid_inconsistent_subj_and_ext.go │ ├── lint_ev_orgid_inconsistent_subj_and_ext_test.go │ ├── lint_ev_san_ip_address_present.go │ ├── lint_ev_san_ip_address_present_test.go │ ├── lint_ev_serial_number_missing.go │ ├── lint_ev_serial_number_missing_test.go │ ├── lint_ev_valid_time_too_long.go │ ├── lint_ev_valid_time_too_long_test.go │ ├── lint_extra_subject_attribs.go │ ├── lint_extra_subject_attribs_test.go │ ├── lint_invalid_orgid_reg_scheme.go │ ├── lint_invalid_orgid_reg_scheme_test.go │ ├── lint_onion_subject_validity_time_too_large.go │ └── lint_onion_subject_validity_time_too_large_test.go ├── cabf_smime_br │ ├── lint_adobe_extensions_legacy_multipurpose_criticality.go │ ├── lint_adobe_extensions_legacy_multipurpose_criticality_test.go │ ├── lint_adobe_extensions_strict_presence.go │ ├── lint_adobe_extensions_strict_presence_test.go │ ├── lint_aia_contains_internal_names.go │ ├── lint_aia_contains_internal_names_test.go │ ├── lint_authority_key_identifier.go │ ├── lint_authority_key_identifier_test.go │ ├── lint_commonname_mailbox_validated.go │ ├── lint_commonname_mailbox_validated_test.go │ ├── lint_ecpublickey_key_usages.go │ ├── lint_ecpublickey_key_usages_test.go │ ├── lint_ecpublickey_other_key_usages.go │ ├── lint_ecpublickey_other_key_usages_test.go │ ├── lint_edwardspublickey_key_usages.go │ ├── lint_edwardspublickey_key_usages_test.go │ ├── lint_invalid_individual_identity.go │ ├── lint_invalid_individual_identity_test.go │ ├── lint_key_usage_criticality.go │ ├── lint_key_usage_criticality_test.go │ ├── lint_key_usage_presence.go │ ├── lint_key_usage_presence_test.go │ ├── lint_legacy_aia_has_one_http.go │ ├── lint_legacy_aia_has_one_http_test.go │ ├── lint_legacy_gen_deprecated.go │ ├── lint_legacy_gen_deprecated_test.go │ ├── lint_legal_entity_identifier.go │ ├── lint_legal_entity_identifier_test.go │ ├── lint_qc_statements_not_critical.go │ ├── lint_qc_statements_not_critical_test.go │ ├── lint_registration_scheme_id_matches_subject_country.go │ ├── lint_registration_scheme_id_matches_subject_country_test.go │ ├── lint_rsa_key_usage_legacy_multipurpose.go │ ├── lint_rsa_key_usage_legacy_multipurpose_test.go │ ├── lint_rsa_key_usage_strict.go │ ├── lint_rsa_key_usage_strict_test.go │ ├── lint_rsa_other_key_usages.go │ ├── lint_rsa_other_key_usages_test.go │ ├── lint_san_shall_be_present.go │ ├── lint_san_shall_be_present_test.go │ ├── lint_san_should_not_be_critical.go │ ├── lint_san_should_not_be_critical_test.go │ ├── lint_single_email_if_present.go │ ├── lint_single_email_if_present_test.go │ ├── lint_single_email_subject_if_present.go │ ├── lint_single_email_subject_if_present_test.go │ ├── lint_strict_aia_has_http_only.go │ ├── lint_strict_aia_has_http_only_test.go │ ├── lint_subject_country_name.go │ ├── lint_subject_country_name_test.go │ ├── lint_subject_dir_attr.go │ ├── lint_subject_dir_attr_test.go │ ├── lint_subscribers_crl_distribution_points_are_http.go │ ├── lint_subscribers_crl_distribution_points_are_http_test.go │ ├── lint_subscribers_shall_have_crl_distribution_points.go │ ├── lint_subscribers_shall_have_crl_distribution_points_test.go │ ├── mailbox_address_from_san.go │ ├── mailbox_address_from_san_test.go │ ├── mailbox_validated_enforce_subject_field_restrictions.go │ ├── mailbox_validated_enforce_subject_field_restrictions_test.go │ ├── smime_legacy_multipurpose_eku_check.go │ ├── smime_legacy_multipurpose_eku_check_test.go │ ├── smime_strict_eku_check.go │ └── smime_strict_eku_check_test.go ├── community │ ├── lint_crl_unique_revoked_certificate.go │ ├── lint_crl_unique_revoked_certificate_test.go │ ├── lint_ian_bare_wildcard.go │ ├── lint_ian_bare_wildcard_test.go │ ├── lint_ian_dns_name_includes_null_char.go │ ├── lint_ian_dns_name_includes_null_char_test.go │ ├── lint_ian_dns_name_starts_with_period.go │ ├── lint_ian_dns_name_starts_with_period_test.go │ ├── lint_ian_iana_pub_suffix_empty.go │ ├── lint_ian_iana_pub_suffix_empty_test.go │ ├── lint_ian_wildcard_not_first.go │ ├── lint_ian_wildcard_not_first_test.go │ ├── lint_is_redacted_cert.go │ ├── lint_is_redacted_cert_test.go │ ├── lint_issuer_dn_leading_whitespace.go │ ├── lint_issuer_dn_leading_whitespace_test.go │ ├── lint_issuer_dn_trailing_whitespace.go │ ├── lint_issuer_dn_trailing_whitespace_test.go │ ├── lint_issuer_multiple_rdn.go │ ├── lint_issuer_multiple_rdn_test.go │ ├── lint_rsa_exp_negative.go │ ├── lint_rsa_exp_negative_test.go │ ├── lint_rsa_fermat_factorization.go │ ├── lint_rsa_fermat_factorization_test.go │ ├── lint_rsa_no_public_key.go │ ├── lint_san_bare_wildcard.go │ ├── lint_san_bare_wildcard_test.go │ ├── lint_san_dns_name_duplicate.go │ ├── lint_san_dns_name_duplicate_test.go │ ├── lint_san_dns_name_includes_null_char.go │ ├── lint_san_dns_name_includes_null_char_test.go │ ├── lint_san_dns_name_starts_with_period.go │ ├── lint_san_dns_name_starts_with_period_test.go │ ├── lint_san_iana_pub_suffix_empty.go │ ├── lint_san_iana_pub_suffix_empty_test.go │ ├── lint_san_wildcard_not_first.go │ ├── lint_san_wildcard_not_first_test.go │ ├── lint_subj_contains_html_entities.go │ ├── lint_subj_contains_html_entities_test.go │ ├── lint_subj_country_not_uppercase.go │ ├── lint_subj_country_not_uppercase_test.go │ ├── lint_subject_dn_leading_whitespace.go │ ├── lint_subject_dn_leading_whitespace_test.go │ ├── lint_subject_dn_trailing_whitespace.go │ ├── lint_subject_dn_trailing_whitespace_test.go │ ├── lint_subject_multiple_rdn.go │ ├── lint_subject_multiple_rdn_test.go │ ├── lint_utf8_latin1_mixup.go │ ├── lint_utf8_latin1_mixup_test.go │ ├── lint_validity_time_not_positive.go │ └── lint_validity_time_not_positive_test.go ├── etsi │ ├── lint_qcstatem_etsi_present_qcs_critical.go │ ├── lint_qcstatem_etsi_present_qcs_critical_test.go │ ├── lint_qcstatem_etsi_type_as_statem.go │ ├── lint_qcstatem_etsi_type_as_statem_test.go │ ├── lint_qcstatem_mandatory_etsi_statems.go │ ├── lint_qcstatem_mandatory_etsi_statems_test.go │ ├── lint_qcstatem_qccompliance_valid.go │ ├── lint_qcstatem_qccompliance_valid_test.go │ ├── lint_qcstatem_qclimitvalue_valid.go │ ├── lint_qcstatem_qclimitvalue_valid_test.go │ ├── lint_qcstatem_qcpds_https_url.go │ ├── lint_qcstatem_qcpds_https_url_test.go │ ├── lint_qcstatem_qcpds_lang_case.go │ ├── lint_qcstatem_qcpds_lang_case_test.go │ ├── lint_qcstatem_qcpds_valid.go │ ├── lint_qcstatem_qcpds_valid_test.go │ ├── lint_qcstatem_qcretentionperiod_valid.go │ ├── lint_qcstatem_qcsscd_valid.go │ ├── lint_qcstatem_qctype_smime.go │ ├── lint_qcstatem_qctype_smime_test.go │ ├── lint_qcstatem_qctype_valid.go │ ├── lint_qcstatem_qctype_valid_test.go │ ├── lint_qcstatem_qctype_web.go │ └── lint_qcstatem_qctype_web_test.go ├── mozilla │ ├── lint_e_prohibit_dsa_usage.go │ ├── lint_e_prohibit_dsa_usage_test.go │ ├── lint_mp_allowed_eku.go │ ├── lint_mp_allowed_eku_test.go │ ├── lint_mp_authority_key_identifier_correct.go │ ├── lint_mp_authority_key_identifier_correct_test.go │ ├── lint_mp_ecdsa_pub_key_encoding_correct.go │ ├── lint_mp_ecdsa_pub_key_encoding_correct_test.go │ ├── lint_mp_ecdsa_signature_encoding_correct.go │ ├── lint_mp_ecdsa_signature_encoding_correct_test.go │ ├── lint_mp_exponent_cannot_be_one.go │ ├── lint_mp_exponent_cannot_be_one_test.go │ ├── lint_mp_modulus_must_be_2048_bits_or_more.go │ ├── lint_mp_modulus_must_be_2048_bits_or_more_test.go │ ├── lint_mp_modulus_must_be_divisible_by_8.go │ ├── lint_mp_modulus_must_be_divisible_by_8_test.go │ ├── lint_mp_pss_parameters_encoding_correct.go │ ├── lint_mp_pss_parameters_encoding_correct_test.go │ ├── lint_mp_rsassa-pss_in_spki.go │ └── lint_mp_rsassa-pss_in_spki_test.go ├── rfc │ ├── lint_basic_constraints_not_critical.go │ ├── lint_basic_constraints_not_critical_test.go │ ├── lint_ca_subject_field_empty.go │ ├── lint_ca_subject_field_empty_test.go │ ├── lint_cert_contains_unique_identifier.go │ ├── lint_cert_contains_unique_identifier_test.go │ ├── lint_cert_ext_invalid_der.go │ ├── lint_cert_ext_invalid_der_test.go │ ├── lint_cert_extensions_version_not_3.go │ ├── lint_cert_extensions_version_not_3_test.go │ ├── lint_cert_unique_identifier_version_not_2_or_3.go │ ├── lint_cert_unique_identifier_version_not_2_or_3_test.go │ ├── lint_crl_empty_revoked_certificates.go │ ├── lint_crl_empty_revoked_certificates_test.go │ ├── lint_crl_has_authority_key_identifier.go │ ├── lint_crl_has_authority_key_identifier_test.go │ ├── lint_crl_has_next_update.go │ ├── lint_crl_has_next_update_test.go │ ├── lint_crl_missing_crl_number.go │ ├── lint_crl_missing_crl_number_test.go │ ├── lint_crl_revoked_certificates_field_empty.go │ ├── lint_crl_revoked_certificates_field_empty_test.go │ ├── lint_crl_valid_reason_codes.go │ ├── lint_crl_valid_reason_codes_test.go │ ├── lint_distribution_point_incomplete.go │ ├── lint_distribution_point_incomplete_test.go │ ├── lint_distribution_point_missing_ldap_or_uri.go │ ├── lint_distribution_point_missing_ldap_or_uri_test.go │ ├── lint_dnsname_contains_empty_label.go │ ├── lint_dnsname_contains_empty_label_test.go │ ├── lint_dnsname_hyphen_in_sld.go │ ├── lint_dnsname_hyphen_in_sld_test.go │ ├── lint_dnsname_label_too_long.go │ ├── lint_dnsname_label_too_long_test.go │ ├── lint_dnsname_underscore_in_sld.go │ ├── lint_dnsname_underscore_in_sld_test.go │ ├── lint_dnsname_underscore_in_trd.go │ ├── lint_dnsname_underscore_in_trd_test.go │ ├── lint_ecdsa_allowed_ku.go │ ├── lint_ecdsa_allowed_ku_test.go │ ├── lint_ecdsa_ee_invalid_ku.go │ ├── lint_ecdsa_ee_invalid_ku_test.go │ ├── lint_eku_critical_improperly.go │ ├── lint_eku_critical_improperly_test.go │ ├── lint_empty_sct_list.go │ ├── lint_empty_sct_list_test.go │ ├── lint_ext_aia_access_location_missing.go │ ├── lint_ext_aia_access_location_missing_test.go │ ├── lint_ext_aia_marked_critical.go │ ├── lint_ext_aia_marked_critical_test.go │ ├── lint_ext_authority_key_identifier_critical.go │ ├── lint_ext_authority_key_identifier_critical_test.go │ ├── lint_ext_authority_key_identifier_no_key_identifier.go │ ├── lint_ext_authority_key_identifier_no_key_identifier_test.go │ ├── lint_ext_cert_policy_contains_noticeref.go │ ├── lint_ext_cert_policy_contains_noticeref_test.go │ ├── lint_ext_cert_policy_disallowed_any_policy_qualifier.go │ ├── lint_ext_cert_policy_disallowed_any_policy_qualifier_test.go │ ├── lint_ext_cert_policy_duplicate.go │ ├── lint_ext_cert_policy_duplicate_test.go │ ├── lint_ext_cert_policy_explicit_text_ia5_string.go │ ├── lint_ext_cert_policy_explicit_text_ia5_string_test.go │ ├── lint_ext_cert_policy_explicit_text_includes_control.go │ ├── lint_ext_cert_policy_explicit_text_includes_control_test.go │ ├── lint_ext_cert_policy_explicit_text_not_nfc.go │ ├── lint_ext_cert_policy_explicit_text_not_nfc_test.go │ ├── lint_ext_cert_policy_explicit_text_not_utf8.go │ ├── lint_ext_cert_policy_explicit_text_not_utf8_test.go │ ├── lint_ext_cert_policy_explicit_text_too_long.go │ ├── lint_ext_cert_policy_explicit_text_too_long_test.go │ ├── lint_ext_crl_distribution_marked_critical.go │ ├── lint_ext_crl_distribution_marked_critical_test.go │ ├── lint_ext_duplicate_extension.go │ ├── lint_ext_duplicate_extension_test.go │ ├── lint_ext_freshest_crl_marked_critical.go │ ├── lint_ext_freshest_crl_marked_critical_test.go │ ├── lint_ext_ian_critical.go │ ├── lint_ext_ian_critical_test.go │ ├── lint_ext_ian_dns_not_ia5_string.go │ ├── lint_ext_ian_dns_not_ia5_string_test.go │ ├── lint_ext_ian_empty_name.go │ ├── lint_ext_ian_empty_name_test.go │ ├── lint_ext_ian_no_entries.go │ ├── lint_ext_ian_no_entries_test.go │ ├── lint_ext_ian_rfc822_format_invalid.go │ ├── lint_ext_ian_rfc822_format_invalid_test.go │ ├── lint_ext_ian_space_dns_name.go │ ├── lint_ext_ian_space_dns_name_test.go │ ├── lint_ext_ian_uri_format_invalid.go │ ├── lint_ext_ian_uri_format_invalid_test.go │ ├── lint_ext_ian_uri_host_not_fqdn_or_ip.go │ ├── lint_ext_ian_uri_host_not_fqdn_or_ip_test.go │ ├── lint_ext_ian_uri_not_ia5.go │ ├── lint_ext_ian_uri_not_ia5_test.go │ ├── lint_ext_ian_uri_relative.go │ ├── lint_ext_ian_uri_relative_test.go │ ├── lint_ext_key_usage_cert_sign_without_ca.go │ ├── lint_ext_key_usage_cert_sign_without_ca_test.go │ ├── lint_ext_key_usage_not_critical.go │ ├── lint_ext_key_usage_not_critical_test.go │ ├── lint_ext_key_usage_without_bits.go │ ├── lint_ext_key_usage_without_bits_test.go │ ├── lint_ext_name_constraints_not_critical.go │ ├── lint_ext_name_constraints_not_critical_test.go │ ├── lint_ext_name_constraints_not_in_ca.go │ ├── lint_ext_name_constraints_not_in_ca_test.go │ ├── lint_ext_policy_constraints_empty.go │ ├── lint_ext_policy_constraints_empty_test.go │ ├── lint_ext_policy_constraints_not_critical.go │ ├── lint_ext_policy_constraints_not_critical_test.go │ ├── lint_ext_policy_map_any_policy.go │ ├── lint_ext_policy_map_any_policy_test.go │ ├── lint_ext_policy_map_not_critical.go │ ├── lint_ext_policy_map_not_critical_test.go │ ├── lint_ext_policy_map_not_in_cert_policy.go │ ├── lint_ext_policy_map_not_in_cert_policy_test.go │ ├── lint_ext_san_dns_name_too_long.go │ ├── lint_ext_san_dns_name_too_long_test.go │ ├── lint_ext_san_dns_not_ia5_string.go │ ├── lint_ext_san_dns_not_ia5_string_test.go │ ├── lint_ext_san_empty_name.go │ ├── lint_ext_san_empty_name_test.go │ ├── lint_ext_san_no_entries.go │ ├── lint_ext_san_no_entries_test.go │ ├── lint_ext_san_not_critical_without_subject.go │ ├── lint_ext_san_not_critical_without_subject_test.go │ ├── lint_ext_san_rfc822_format_invalid.go │ ├── lint_ext_san_rfc822_format_invalid_test.go │ ├── lint_ext_san_space_dns_name.go │ ├── lint_ext_san_space_dns_name_test.go │ ├── lint_ext_san_uri_format_invalid.go │ ├── lint_ext_san_uri_format_invalid_test.go │ ├── lint_ext_san_uri_host_not_fqdn_or_ip.go │ ├── lint_ext_san_uri_host_not_fqdn_or_ip_test.go │ ├── lint_ext_san_uri_not_ia5.go │ ├── lint_ext_san_uri_not_ia5_test.go │ ├── lint_ext_san_uri_relative.go │ ├── lint_ext_san_uri_relative_test.go │ ├── lint_ext_subject_directory_attr_critical.go │ ├── lint_ext_subject_directory_attr_critical_test.go │ ├── lint_ext_subject_key_identifier_critical.go │ ├── lint_ext_subject_key_identifier_critical_test.go │ ├── lint_ext_subject_key_identifier_missing_ca.go │ ├── lint_ext_subject_key_identifier_missing_ca_test.go │ ├── lint_ext_subject_key_identifier_missing_sub_cert.go │ ├── lint_ext_subject_key_identifier_missing_sub_cert_test.go │ ├── lint_generalized_time_does_not_include_seconds.go │ ├── lint_generalized_time_includes_fraction_seconds.go │ ├── lint_generalized_time_not_in_zulu.go │ ├── lint_generalized_time_not_in_zulu_test.go │ ├── lint_idn_dnsname_malformed_unicode.go │ ├── lint_idn_dnsname_malformed_unicode_test.go │ ├── lint_idn_dnsname_must_be_nfc.go │ ├── lint_idn_dnsname_must_be_nfc_test.go │ ├── lint_incorrect_ku_encoding.go │ ├── lint_incorrect_ku_encoding_test.go │ ├── lint_inhibit_any_policy_not_critical.go │ ├── lint_inhibit_any_policy_not_critical_test.go │ ├── lint_issuer_dn_country_not_printable_string.go │ ├── lint_issuer_dn_country_not_printable_string_test.go │ ├── lint_issuer_field_empty.go │ ├── lint_issuer_field_empty_test.go │ ├── lint_key_usage_and_extended_key_usage_inconsistent.go │ ├── lint_key_usage_and_extended_key_usage_inconsistent_test.go │ ├── lint_key_usage_incorrect_length.go │ ├── lint_key_usage_incorrect_length_test.go │ ├── lint_name_constraint_empty.go │ ├── lint_name_constraint_empty_test.go │ ├── lint_name_constraint_maximum_not_absent.go │ ├── lint_name_constraint_maximum_not_absent_test.go │ ├── lint_name_constraint_minimum_non_zero.go │ ├── lint_name_constraint_minimum_non_zero_test.go │ ├── lint_name_constraint_not_fqdn.go │ ├── lint_name_constraint_not_fqdn_test.go │ ├── lint_name_constraint_on_edi_party_name.go │ ├── lint_name_constraint_on_edi_party_name_test.go │ ├── lint_name_constraint_on_registered_id.go │ ├── lint_name_constraint_on_registered_id_test.go │ ├── lint_name_constraint_on_x400.go │ ├── lint_name_constraint_on_x400_test.go │ ├── lint_ocsp_this_update_not_after_produced_at.go │ ├── lint_ocsp_this_update_not_after_produced_at_test.go │ ├── lint_path_len_constraint_improperly_included.go │ ├── lint_path_len_constraint_improperly_included_test.go │ ├── lint_path_len_constraint_zero_or_less.go │ ├── lint_path_len_constraint_zero_or_less_test.go │ ├── lint_precert_with_sct_list.go │ ├── lint_precert_with_sct_list_test.go │ ├── lint_rsa_allowed_ku_ca.go │ ├── lint_rsa_allowed_ku_ca_test.go │ ├── lint_rsa_allowed_ku_ee.go │ ├── lint_rsa_allowed_ku_ee_test.go │ ├── lint_rsa_allowed_ku_no_encipherment_ca.go │ ├── lint_rsa_allowed_ku_no_encipherment_ca_test.go │ ├── lint_serial_number_longer_than_20_octets.go │ ├── lint_serial_number_longer_than_20_octets_test.go │ ├── lint_serial_number_not_positive.go │ ├── lint_serial_number_not_positive_test.go │ ├── lint_spki_rsa_encryption_parameter_not_null.go │ ├── lint_spki_rsa_encryption_parameter_not_null_test.go │ ├── lint_subject_common_name_max_length.go │ ├── lint_subject_common_name_max_length_test.go │ ├── lint_subject_dn_country_not_printable_string.go │ ├── lint_subject_dn_country_not_printable_string_test.go │ ├── lint_subject_dn_not_printable_characters.go │ ├── lint_subject_dn_not_printable_characters_test.go │ ├── lint_subject_dn_serial_number_max_length.go │ ├── lint_subject_dn_serial_number_max_length_test.go │ ├── lint_subject_dn_serial_number_not_printable_string.go │ ├── lint_subject_email_max_length.go │ ├── lint_subject_email_max_length_test.go │ ├── lint_subject_empty_without_san.go │ ├── lint_subject_empty_without_san_test.go │ ├── lint_subject_given_name_max_length.go │ ├── lint_subject_given_name_max_length_test.go │ ├── lint_subject_given_name_recommended_max_length.go │ ├── lint_subject_given_name_recommended_max_length_test.go │ ├── lint_subject_info_access_marked_critical.go │ ├── lint_subject_info_access_marked_critical_test.go │ ├── lint_subject_locality_name_max_length.go │ ├── lint_subject_locality_name_max_length_test.go │ ├── lint_subject_not_dn.go │ ├── lint_subject_organization_name_max_length.go │ ├── lint_subject_organization_name_max_length_test.go │ ├── lint_subject_organizational_unit_name_max_length.go │ ├── lint_subject_organizational_unit_name_max_length_test.go │ ├── lint_subject_postal_code_max_length.go │ ├── lint_subject_postal_code_max_length_test.go │ ├── lint_subject_printable_string_badalpha.go │ ├── lint_subject_printable_string_badalpha_test.go │ ├── lint_subject_state_name_max_length.go │ ├── lint_subject_state_name_max_length_test.go │ ├── lint_subject_street_address_max_length.go │ ├── lint_subject_street_address_max_length_test.go │ ├── lint_subject_surname_max_length.go │ ├── lint_subject_surname_max_length_test.go │ ├── lint_subject_surname_recommended_max_length.go │ ├── lint_subject_surname_recommended_max_length_test.go │ ├── lint_superfluous_ku_encoding.go │ ├── lint_superfluous_ku_encoding_test.go │ ├── lint_tbs_signature_alg_matches_cert_signature_alg.go │ ├── lint_tbs_signature_alg_matches_cert_signature_alg_test.go │ ├── lint_tbs_signature_rsa_encryption_parameter_not_null.go │ ├── lint_tbs_signature_rsa_encryption_parameter_not_null_test.go │ ├── lint_utc_time_does_not_include_seconds.go │ ├── lint_utc_time_does_not_include_seconds_test.go │ ├── lint_utc_time_not_in_zulu.go │ ├── lint_utc_time_not_in_zulu_test.go │ ├── lint_wrong_time_format_pre2050.go │ └── lint_wrong_time_format_pre2050_test.go └── template_test.go ├── makefile ├── newLint.sh ├── newProfile.sh ├── profileTemplate ├── profiles ├── profiles_test.go └── todo.go ├── resultset.go ├── template ├── test ├── configuration_test_framework_test.go ├── helpers.go └── prepend_testcerts_openssl.sh ├── test_template ├── testdata ├── 27monthsEv.pem ├── 39months.pem ├── CNPresentButEmpty.pem ├── CNWithoutSANSeptember2021.pem ├── DNSFQDN.pem ├── IANBareSuffix.pem ├── IANBareWildcard.pem ├── IANCritical.pem ├── IANDNSIA5String.pem ├── IANDNSNotIA5String.pem ├── IANDNSNull.pem ├── IANDNSPeriod.pem ├── IANEmpty.pem ├── IANEmptyDNS.pem ├── IANEmptyName.pem ├── IANGoodSuffix.pem ├── IANInvalidEmail.pem ├── IANNonEmptyDNS.pem ├── IANNotCritical.pem ├── IANSpaceDNSBeginning.pem ├── IANSpaceDNSEnd.pem ├── IANURIHostAsterisk.pem ├── IANURIHostFQDN.pem ├── IANURIHostIP.pem ├── IANURIHostNotFQDNOrIP.pem ├── IANURIHostWildcardFQDN.pem ├── IANURIHostWrongWildcard.pem ├── IANURIIA5String.pem ├── IANURINoScheme.pem ├── IANURINoSchemeSpecificPart.pem ├── IANURINotIA5String.pem ├── IANURIValid.pem ├── IANValidEmail.pem ├── IANWildcardFirst.pem ├── IssuerDNCountryNotPrintableString.pem ├── MultipleCNsAllInSAN.pem ├── NCReservedIPNet.pem ├── NCValidIPNet.pem ├── NameConstraintCA.pem ├── NameConstraintCrit.pem ├── NameConstraintNotCA.pem ├── NameConstraintNotCrit.pem ├── QcStmtEtsiEsealValidCert02.pem ├── QcStmtEtsiLangCodeUpperCaseCert23.pem ├── QcStmtEtsiMissingEnglishPdsCert04.pem ├── QcStmtEtsiMissingMandatoryCert14.pem ├── QcStmtEtsiMissingPDSCert16.pem ├── QcStmtEtsiNoQcStatmentsCert22.pem ├── QcStmtEtsiNumberInLangCodeCert21.pem ├── QcStmtEtsiQcTypeAsQcStmtCert10.pem ├── QcStmtEtsiTwoEnglPdsCert12.pem ├── QcStmtEtsiTwoLangCodesCert17.pem ├── QcStmtEtsiTwoQcTypesCert15.pem ├── QcStmtEtsiValidAddLangCert13.pem ├── QcStmtEtsiValidCert03.pem ├── QcStmtEtsiValidCert11.pem ├── QcStmtEtsiValidCert24.pem ├── QcStmtEtsiWrongCriticalityCert06.pem ├── QcStmtEtsiWrongEncodingLangCodeCert07.pem ├── QcStmtEtsiWrongEncodingUrlCert08.pem ├── QcStmtEtsiWrongLangCodeCert05.pem ├── QcStmtInvalidLimitValue.pem ├── QcStmtValidLimitValue.pem ├── RFC5280example2.pem ├── RSASHA1Good.pem ├── SANBareSuffix.pem ├── SANBareWildcard.pem ├── SANCaGood.pem ├── SANCaseNotMatchingCN.pem ├── SANCaseNotMatchingCNSeptember2021.pem ├── SANCriticalSubjectUncommonOnly.pem ├── SANDNSAsterisk.pem ├── SANDNSDuplicate.pem ├── SANDNSNameNotFQDN.pem ├── SANDNSNotIA5String.pem ├── SANDNSNull.pem ├── SANDNSPeriod.pem ├── SANDNSTooLong.pem ├── SANDNSWildcard.pem ├── SANDNSWrongWildcard.pem ├── SANDirectoryNameBeginning.pem ├── SANDirectoryNameEnd.pem ├── SANEDIParty.pem ├── SANEmptyName.pem ├── SANGoodSuffix.pem ├── SANIPv4Address.pem ├── SANIPv4AddressNotMatchingCommonName.pem ├── SANIPv6Address.pem ├── SANIPv6AddressChoiceInAbbreviation.pem ├── SANIPv6AddressChoiceInAbbreviationInvalid.pem ├── SANIPv6AddressNotMatchingCommonName.pem ├── SANIPv6AddressOne0Field.pem ├── SANNoEntries.pem ├── SANNotCriticalSubjectUncommonOnly.pem ├── SANOtherName.pem ├── SANRFC822Beginning.pem ├── SANRFC822End.pem ├── SANRegisteredIdBeginning.pem ├── SANRegisteredIdEnd.pem ├── SANReservedIP.pem ├── SANReservedIP6.pem ├── SANSubjectEmptyNotCritical.pem ├── SANURIAbsolute.pem ├── SANURIBeginning.pem ├── SANURIEnd.pem ├── SANURIFQDN.pem ├── SANURIHostAsterisk.pem ├── SANURIHostFQDN.pem ├── SANURIHostWildcardFQDN.pem ├── SANURIHostWrongWildcard.pem ├── SANURIIA5.pem ├── SANURIIP.pem ├── SANURINoAuthority.pem ├── SANURINoScheme.pem ├── SANURINoSchemeSpecificPart.pem ├── SANURINotFQDN.pem ├── SANURINotIA5.pem ├── SANURIRelative.pem ├── SANURIValid.pem ├── SANValidIP.pem ├── SANWildcardFirst.pem ├── SANWithCNSeptember2021.pem ├── SANWithInvalidEmail.pem ├── SANWithInvalidEmail2.pem ├── SANWithMissingCN.pem ├── SANWithSpaceDNS.pem ├── SANWithSpaceDNSBeginning.pem ├── SANWithSpaceDNSCenter.pem ├── SANWithSpaceDNSEnd.pem ├── SANWithSpaceRFC822Center.pem ├── SANWithValidEmail.pem ├── SANdnsbadsyntax.pem ├── SANdnsdollarsyntax.pem ├── SANdnsgoodsyntax.pem ├── SANdnshyphensyntax.pem ├── SubjectDNAndIssuerDNCountryPrintableString.pem ├── SubjectDNCountryNotPrintableString.pem ├── SubjectDNSerialNumberNotPrintableString.pem ├── SubjectDNSerialNumberTooLong.pem ├── SubjectEmailToolLong.pem ├── aiaCaIssuersFTPOnly.pem ├── aiaCaIssuersHTTPAndLDAP.pem ├── aiaCaIssuersHTTPOnly.pem ├── aiaCaIssuersHttpOnlyNE.pem ├── aiaCaIssuersHttpOnlyNoCAIssuers.pem ├── aiaCaIssuersHttpsOnly.pem ├── aiaCaIssuersLDAPOnly.pem ├── aiaCrit.pem ├── aiaDuplicateCaIssuerUrlUpperCase.pem ├── aiaDuplicateOCSPUrl.pem ├── aiaOCSPHttpOnlyNE.pem ├── aiaOCSPOneHTTPOneLDAP.pem ├── aiaOCSPWithHTTPSURL.pem ├── aiaWithIP.pem ├── aiaWithInternalNames.pem ├── aiaWithValidNames.pem ├── aiaWrongGeneralName.pem ├── akiCritical.pem ├── akiMissing.pem ├── akiNoKeyIdentifier.pem ├── akiWithSerial.pem ├── akidNoKeyIdentifier.pem ├── akidWithKeyID.pem ├── allUIDv1.pem ├── allUIDv2.pem ├── badRsaExp.pem ├── badRsaExpLength.pem ├── basicConstraintsCriticalSC62.pem ├── basicConstraintsNotCriticalSC62.pem ├── beginsWithPeriodConstraintFQDN.pem ├── c0r0e0a0s0m0b0.pem ├── c1r0e0a0s0m0b0.pem ├── c1r0e1a0s0m1b0.pem ├── c1r0e1a0s1m0b0.pem ├── c1r0e1a0s1m1b0.pem ├── c1r0e1a0s1m1b1.pem ├── c1r0e1a1s0m0b0.pem ├── c1r0e1a1s0m1b0.pem ├── c1r1e0a0s0m0b0.pem ├── caBasicConstCrit.pem ├── caBasicConstMissing.pem ├── caBasicConstNotCrit.pem ├── caBlankCountry.pem ├── caCertificateAfter15092023.pem ├── caCommonNameMissing.pem ├── caCommonNameNotMissing.pem ├── caInvalCountryCode.pem ├── caIssuerBlank.pem ├── caIssuerHTTP.pem ├── caIssuerLDAP.pem ├── caIssuerNoHTTPLDAP.pem ├── caKeyUsageCrit.pem ├── caKeyUsageMissing.pem ├── caKeyUsageNoCRL.pem ├── caKeyUsageNoCertSign.pem ├── caKeyUsageNotCrit.pem ├── caKeyUsageWDigSign.pem ├── caMaxPathLenMissing.pem ├── caMaxPathLenPositive.pem ├── caMaxPathLenPresentNoCertSign.pem ├── caMaxPathNegative.pem ├── caOrgNameEmpty.pem ├── caOrgNameMissing.pem ├── caSubjectEmpty.pem ├── caSubjectMissing.pem ├── caValCountry.pem ├── caValOrgName.pem ├── caWithRSAAllowedKeyUsageOld.pem ├── caWithRSAAndEnciphermentKeyUsage.pem ├── caWithRSADisallowedKeyUsage.pem ├── cabfOrgIdentifierPSDState.pem ├── cacp_c0r0p0m0a0b0e0.pem ├── cacp_c1r0p0m0a0b0e0.pem ├── cacp_c1r0p1m0a0b0e1.pem ├── cacp_c1r0p1m0a0b1e1.pem ├── cacp_c1r0p1m0a1b0e1.pem ├── cacp_c1r0p1m1a0b0e0.pem ├── cacp_c1r0p1m1a0b0e1.pem ├── cacp_c1r0p1m1a0b1e1.pem ├── cacp_c1r0p1m1a1b0e0.pem ├── cacp_c1r1p0m0a0b0e0.pem ├── cdp_not_http_ko1.pem ├── cdp_not_http_ko2.pem ├── cdp_not_http_na1.pem ├── cdp_not_http_ne1.pem ├── cdp_not_http_ok1.pem ├── cdp_not_http_ok2.pem ├── certPolicyAssertionDuplicated.pem ├── certPolicyDuplicateShort.pem ├── certPolicyNoDuplicate.pem ├── certVersion1NoExtensions.pem ├── certVersion2NoExtensions.pem ├── certVersion2WithExtension.pem ├── certVersion3NoExtensions.pem ├── certVersion4NoExtensions.pem ├── certVersion4WithExtension.pem ├── cert_ext_invalid_der_ko_01.pem ├── cert_ext_invalid_der_ok_01.pem ├── code_signing │ ├── codeSigningWithECDSAKey.pem │ ├── containsNotRecommendedKeyUsage.pem │ ├── containsProhibitedEKU.pem │ ├── containsProhibitedKeyUsage.pem │ ├── crlDpNoHttp.pem │ ├── lessThan3072RSAKeySize.pem │ ├── noCrldpIncluded.pem │ ├── noDigitalSignatureKeyUsage.pem │ ├── noRequiredCodeSigningEKU.pem │ └── validCodeSigningCertificate.pem ├── commonNameExistsSC62.pem ├── commonNameGoodSC62.pem ├── commonNameInSAN.pem ├── commonNamesGood.pem ├── commonNamesIP.pem ├── commonNamesURL.pem ├── countryISOLowerCase.pem ├── country_not_upcase_ko1.pem ├── country_not_upcase_ko2.pem ├── country_not_upcase_ko3.pem ├── country_not_upcase_ok1.pem ├── crlComlepteDp.pem ├── crlDistribCrit.pem ├── crlDistribNoHTTP.pem ├── crlDistribNotCrit.pem ├── crlDistribWithHTTP.pem ├── crlDistribWithLDAP.pem ├── crlEmpty.pem ├── crlEntrustNoRevokedCerts01.pem ├── crlEntrustNoRevokedCerts02.pem ├── crlHasNextUpdate.pem ├── crlIncomlepteDp.pem ├── crlIssuerMustNotBePresent_NA.pem ├── crlIssuerMustNotBePresent_error.pem ├── crlIssuerMustNotBePresent_pass.pem ├── crlNotHaveNextUpdate.pem ├── crlReasonCodeCrit.pem ├── crlThisUpdate20230505.pem ├── crlWithAuthKeyID.pem ├── crlWithDuplicatesInRevokedCertificateList.pem ├── crlWithMissingAuthKeyID.pem ├── crlWithNoDuplicatesInRevokedCertificateList.pem ├── crlWithReasonCode0.pem ├── crlWithReasonCode2.pem ├── crlWithReasonCode5.pem ├── crlWithReasonCode7.pem ├── crlWithRevokedCertificatesContainerButNoActualRevokedCerts-CBonnell.pem ├── crlWithRevokedCertificatesContainerButNoActualRevokedCerts-ReallyReallyBroken.pem ├── crl_empty_revoked_certificates_ko.pem ├── crl_empty_revoked_certificates_ok.pem ├── crl_missing_crl_number_ko.pem ├── crl_missing_crl_number_ok.pem ├── crl_nextupdate_nup0_sub0_len0_eff0.pem ├── crl_nextupdate_nup1_sub0_len0_eff0.pem ├── crl_nextupdate_nup1_sub0_len1_eff0.pem ├── crl_nextupdate_nup1_sub0_len1_eff1.pem ├── crl_nextupdate_nup1_sub1_len0_eff0.pem ├── crl_nextupdate_nup1_sub1_len1_eff0.pem ├── crl_nextupdate_nup1_sub1_len1_eff1.pem ├── ct18mo2SCTs.pem ├── ct18mo3SCTs.pem ├── ct38mo3SCTs.pem ├── ct38mo4SCTs.pem ├── ct3mo1SCTs.pem ├── ct3mo2DupeSCTs.pem ├── ct3mo2SCTs.pem ├── ct666mo4SCTs.pem ├── ct666mo5SCTs.pem ├── ctNoSCTs.pem ├── ctNoSCTsPoisoned.pem ├── dNSNameNoUnderscores.pem ├── dNSNameNoUnderscoresHardEnforcementPeriod.pem ├── dNSNameUnderscoreNotValidWhenReplaced.pem ├── dNSNameUnderscoreValidWhenReplaced.pem ├── dNSNameWithUnderscores.pem ├── dNSNameWithUnderscoresHardEnforcementPeriod.pem ├── dNSNoUnderscoresBeforeHardEnforcementPeriod.pem ├── dNSNoUnderscoresLongValidity.pem ├── dNSNoUnderscoresNotEffectiveForCABF_1_6_2.pem ├── dNSUnderscoresLongValidity.pem ├── dNSUnderscoresPermissibleOutOfDateRange.pem ├── dNSUnderscoresShortValidity.pem ├── directoryNamePresent.pem ├── dnsNameBadCharacterInLabel.pem ├── dnsNameClientCert.pem ├── dnsNameContainsBareIANASuffix.pem ├── dnsNameContainsQuestionMark.pem ├── dnsNameEmptyLabel.pem ├── dnsNameHyphenBeginningSLD.pem ├── dnsNameHyphenEndingSLD.pem ├── dnsNameLabelTooLong.pem ├── dnsNameNoEmptyLabel.pem ├── dnsNameNoLongerValidTLD.pem ├── dnsNameNoUnderscoreInSLD.pem ├── dnsNameNoUnderscoreInTRD.pem ├── dnsNameNotEmptyLabel.pem ├── dnsNameNotValidTLD.pem ├── dnsNameNotYetValidTLD.pem ├── dnsNameOnionTLD.pem ├── dnsNamePrivatePublicSuffix.pem ├── dnsNameProhibitedReservedLabel.pem ├── dnsNameUnderscoreInSLD.pem ├── dnsNameUnderscoreInTRD.pem ├── dnsNameValidTLD.pem ├── dnsNameWasValidTLD.pem ├── dnsNameWildcardCorrect.pem ├── dnsNameWildcardIncorrect.pem ├── dnsNameWildcardLeftOfPublicSuffix.pem ├── dnsNameWildcardNotLeftOfPublicSuffix.pem ├── dnsNameWildcardNotOnlyInLeftLabel.pem ├── dnsNameWildcardOnlyInLeftLabel.pem ├── dnsNameWithIPInCN.pem ├── dnsNameXNLabel.pem ├── dnsNamesNFC.pem ├── dnsNamesNFKC.pem ├── dnsNamesNotNFC.pem ├── dnsNamesNotNFKC.pem ├── domainValAllBad.pem ├── domainValGoodSubject.pem ├── domainValSubCaGood.pem ├── domainValWithLocal.pem ├── domainValWithOrg.pem ├── domainValWithPostal.pem ├── domainValWithProvince.pem ├── domainValWithStreet.pem ├── dsaBadQLen.pem ├── dsaCert.pem ├── dsaCorrectOrderInSubgroup.pem ├── dsaNotShorterThan2048Bits.pem ├── dsaShorterThan2048Bits.pem ├── dsaUniqueRep.pem ├── dupl_subj_attrs_ko_01.pem ├── dupl_subj_attrs_ko_02.pem ├── dupl_subj_attrs_ko_03.pem ├── dupl_subj_attrs_na_01.pem ├── dupl_subj_attrs_ne_01.pem ├── dupl_subj_attrs_ok_01.pem ├── dvCountry.pem ├── dvEmptySubject.pem ├── dvWithCNAndCountry.pem ├── dvWithOrganization.pem ├── dvWithSerialNumber.pem ├── ecc256_post_br_1_7_1.pem ├── eccP256.pem ├── eccP384.pem ├── eccP521.pem ├── eccP521Mp30.pem ├── eccSignedWithP384ButSHA256Signature.pem ├── eccSignedWithSHA512Signature.pem ├── eccWithSecp521r1KeySignedWithSHA512Signature.pem ├── ecdsaP224.pem ├── ecdsaP256.pem ├── ecdsaP256AbsentKU.pem ├── ecdsaP256KUIsDataEnciphermentInvalidKU.pem ├── ecdsaP256KUIsDigitalSignatureValidKU.pem ├── ecdsaP256KUIsKeyEnciphermentAndDataEnciphermentInvalidKU.pem ├── ecdsaP256KUIsKeyEnciphermentInvalidKU.pem ├── ecdsaP256ValidKUs.pem ├── ecdsaP384.pem ├── ecdsaP384InvalidKUs.pem ├── ecdsaP521.pem ├── eeServerCertValidEqual397.pem ├── eeServerCertValidEqual398.pem ├── eeServerCertValidOver397.pem ├── eeServerCertValidOver398.pem ├── eeServerCertValidOver398OldNotBefore.pem ├── eeWithRSAAllowedKeyUsage.pem ├── eeWithRSAAllowedKeyUsageOld.pem ├── eeWithRSADisallowedKeyUsage.pem ├── ekuAnyCrit.pem ├── ekuAnyNoCrit.pem ├── ekuCrit.pem ├── ekuNoAnyCrit.pem ├── ekuNoCrit.pem ├── emptyPermittedDNSBadExcludedDNS.pem ├── emptyPermittedDNSGoodExcludedDNS.pem ├── emptyPermittedIPExcludedBoth.pem ├── emptyPermittedIPExcludedIPv4.pem ├── emptyPermittedIPExcludedIPv6.pem ├── empty_sct_list_ko_01.pem ├── empty_sct_list_na_01.pem ├── empty_sct_list_na_02.pem ├── empty_sct_list_ok_01.pem ├── empty_sct_list_ok_02.pem ├── evAllGood.pem ├── evNoCountry.pem ├── evNoLocal.pem ├── evNoOrg.pem ├── evNoSN.pem ├── evOrgIdExtMissing_CABFOrgIdExtMissingButBeforeEffectiveDate.pem ├── evOrgIdExtMissing_Invalid.pem ├── evOrgIdExtMissing_NoOrgId.pem ├── evOrgIdExtMissing_Valid.pem ├── evOrgIdExtMissing_ValidButBeforeEffectiveDate.pem ├── evSanIpAddressPresent.pem ├── evSubscriberNotWildCard.pem ├── evSubscriberWildcardOnion.pem ├── evValidNotTooLong.pem ├── evValidNotTooLong825Days.pem ├── evValidTooLong.pem ├── evWildcard.pem ├── evenRsaMod.pem ├── exactlyOnFirstMilestoneExactly199days.pem ├── exactlyOnFirstMilestoneExactly200days.pem ├── exactlyOnFirstMilestoneLongerThan200days.pem ├── exactlyOnSecondMilestoneExactly100days.pem ├── exactlyOnSecondMilestoneExactly99days.pem ├── exactlyOnSecondMilestoneLongerThan100days.pem ├── exactlyOnThirdMilestoneExactly46days.pem ├── exactlyOnThirdMilestoneExactly47days.pem ├── exactlyOnThirdMilestoneLongerThan47days.pem ├── exc1Perm1UriConstraints.pem ├── exc1UriConstraint.pem ├── explicitText200Char.pem ├── explicitTextBMPNFC.pem ├── explicitTextBMPNotNFC.pem ├── explicitTextBMPString.pem ├── explicitTextNotNFC.pem ├── explicitTextUtf8NotNFC.pem ├── extSANDuplicated.pem ├── extSkiDuplicatedShortlist.pem ├── extUnknownDuplicated.pem ├── extUnknownDuplicatedCritical.pem ├── extraCommonNames.pem ├── extra_subj_attrs_ko1.pem ├── extra_subj_attrs_na1.pem ├── extra_subj_attrs_na2.pem ├── extra_subj_attrs_ne1.pem ├── extra_subj_attrs_ok1.pem ├── extra_subj_attrs_with_ou_ok2.pem ├── facebookOnionV3Address.pem ├── frshCRLCritical.pem ├── frshCRLNotCritical.pem ├── generalizedAfter2050.pem ├── generalizedHasSeconds.pem ├── generalizedNoFraction.pem ├── generalizedNoSeconds.pem ├── generalizedNotZulu.pem ├── generalizedPrior2050.pem ├── generalizedTimeBefore2050.pem ├── generalizedTimeNoSeconds.pem ├── givenNameCorrectPolicy.pem ├── givenNameIncorrectPolicy.pem ├── givenNameOver32768.pem ├── givenNameOver64.pem ├── givenNameUnder64.pem ├── goodRsaExp.pem ├── goodRsaExpLength.pem ├── gtldcnbad.pem ├── gtldcnip.pem ├── gtldcnnotdn.pem ├── gtldcnvalid.pem ├── gtlddnsbad.pem ├── gtlddnsip.pem ├── gtlddnsnotdn.pem ├── gtlddnsvalid.pem ├── html_entity_ko1.pem ├── html_entity_ko2.pem ├── html_entity_ko3.pem ├── html_entity_ok1.pem ├── html_entity_ok2.pem ├── html_entity_ok3.pem ├── idnCorrectUnicode.pem ├── idnMalformedUnicode.pem ├── illegalChar.pem ├── incorrect_ku_length.pem ├── incorrect_unused_bits_in_ku_encoding.pem ├── indivValAllBad.pem ├── indivValGivenNameOnly.pem ├── indivValGoodAllFields.pem ├── indivValGoodLocalNoProvince.pem ├── indivValGoodNoOrg.pem ├── indivValGoodOrgOnly.pem ├── indivValGoodProvinceNoLocal.pem ├── indivValNoCountry.pem ├── indivValNoLocalOrProvince.pem ├── indivValNoOrgOrPersonalNames.pem ├── indivValSurnameOnly.pem ├── inhibitAnyCrit.pem ├── inhibitAnyNotCrit.pem ├── invalidOnionAddress.pem ├── invalid_business_cat_ko_01.pem ├── invalid_business_cat_ko_02.pem ├── invalid_business_cat_ok_01.pem ├── invalid_business_cat_ok_02.pem ├── invalid_business_cat_ok_03.pem ├── invalid_business_cat_ok_04.pem ├── invalid_business_cat_ok_05.pem ├── invalid_business_cat_ok_06.pem ├── invalid_cps_uri_ko_01.pem ├── invalid_cps_uri_ko_02.pem ├── invalid_cps_uri_ko_03.pem ├── invalid_cps_uri_ok_01.pem ├── invalid_cps_uri_ok_02.pem ├── invalid_cps_uri_ok_03.pem ├── iors_ca_abc_e1_x1.pem ├── iors_ee_abc_e0_x1.pem ├── iors_ee_abc_e1_x0.pem ├── iors_ee_abc_e1_x1.pem ├── iors_ee_ntr_e1_x1.pem ├── iors_ee_nul_e1_x1.pem ├── iors_ee_psd_e1_x1.pem ├── iors_ee_vat_e1_x1.pem ├── ipAddressConstraintNotFQDN.pem ├── issuerDNLeadingSpace.pem ├── issuerDNTrailingSpace.pem ├── issuerFieldFilled.pem ├── issuerFieldMissing.pem ├── issuerRDNTwoAttribute.pem ├── issuerUID.pem ├── justBeforeFirstMilestone.pem ├── justBeforeSecondMilestoneExactly200days.pem ├── justBeforeThirdMilestoneExactly100days.pem ├── keyCertSignCA.pem ├── keyCertSignNotCA.pem ├── keyUsageCertSignEndEntity.pem ├── keyUsageCertSignNoBC.pem ├── keyUsageNoBits.pem ├── keyUsageNotCriticalSubCert.pem ├── keyUsageWithoutTrailingZeroes.pem ├── kuEkuConsistent.pem ├── kuEkuConsistentMp.pem ├── kuEkuInconsistent.pem ├── kuEkuInconsistentMp.pem ├── leg0_poliv_eff0_pseu0_pers0.pem ├── leg0_poliv_eff1_pseu0_pers0.pem ├── leg0_poliv_eff1_pseu0_pers1.pem ├── leg0_poliv_eff1_pseu1_pers0.pem ├── leg0_polmv_eff1_pseu0_pers0.pem ├── leg0_polov_eff1_pseu0_pers0.pem ├── leg0_polsv_eff0_pseu0_pers0.pem ├── leg0_polsv_eff1_pseu0_pers0.pem ├── leg0_polsv_eff1_pseu0_pers1.pem ├── leg0_polsv_eff1_pseu1_pers0.pem ├── leg1_poliv_eff1_pseu0_pers0.pem ├── legalChar.pem ├── localNoOrg.pem ├── localYesOrg.pem ├── md5WithRSASignatureAlgorithm.pem ├── mismatchingSigAlgsBadOID.pem ├── mismatchingSigAlgsBadParams.pem ├── mpAuthorityKeyIdentifierCorrect.pem ├── mpAuthorityKeyIdentifierIncorrect.pem ├── mpCrossCertNoEKU.pem ├── mpExponent1.pem ├── mpExponent10001.pem ├── mpModulus1024.pem ├── mpModulus2048.pem ├── mpModulus4095.pem ├── mpSubCAEKUAllowed.pem ├── mpSubCAEKUDisallowed1.pem ├── mpSubCAEKUDisallowed2.pem ├── mpSubCAEKUDisallowed3.pem ├── multDupeExts.pem ├── multExc1PermUriConstraints.pem ├── multExcMultPermUriConstraints.pem ├── multPermUriConstraints.pem ├── multiEmptyPubSuffix.pem ├── nameConstraintsMissing.pem ├── ncAllPres.pem ├── ncEmptyValue.pem ├── ncMinPres.pem ├── ncMinZero.pem ├── ncOnEDI.pem ├── ncOnRegId.pem ├── ncOnX400.pem ├── ne_subject_key_identifier_not_recommended_subscriber.pem ├── newlinesInTLD.pem ├── noAia.pem ├── noAuthorityConstraintNotFQDN.pem ├── noNameConstraint.pem ├── noPubExpRange.pem ├── noRsaLength.pem ├── nonEmptyPermitted.pem ├── nonEmptyPermittedDNS.pem ├── notDN.pem ├── o0s0ep0a0nc0.pem ├── o0s0ep0a0nc1.pem ├── o0s0ep0a1nc0.pem ├── o0s0ep0a1nc1.pem ├── o0s0ep1a0nc0.pem ├── o0s0ep1a0nc1.pem ├── o0s0ep1a1nc0.pem ├── o0s0ep1a1nc1.pem ├── o0s1ep0a0nc0.pem ├── o0s1ep0a0nc1.pem ├── o0s1ep0a1nc0.pem ├── o0s1ep0a1nc1.pem ├── o0s1ep1a0nc0.pem ├── o0s1ep1a0nc1.pem ├── o0s1ep1a1nc0.pem ├── o0s1ep1a1nc1.pem ├── o1s0ep0a0nc0.pem ├── o1s0ep0a0nc1.pem ├── o1s0ep0a1nc0.pem ├── o1s0ep0a1nc1.pem ├── o1s0ep1a0nc0.pem ├── o1s0ep1a0nc1.pem ├── o1s0ep1a1nc0.pem ├── o1s0ep1a1nc1.pem ├── o1s1ep0a0nc0.pem ├── o1s1ep0a0nc1.pem ├── o1s1ep0a1nc0.pem ├── o1s1ep0a1nc1.pem ├── o1s1ep1a0nc0.pem ├── o1s1ep1a0nc1.pem ├── o1s1ep1a1nc0.pem ├── o1s1ep1a1nc1.pem ├── ocspThisUpdateAfterProducedAt ├── ocspThisUpdateNotAfterProducedAt ├── oddRsaMod.pem ├── oldRootModSmall.pem ├── oldRootModTooSmall.pem ├── oldSubModSmall.pem ├── oldSubModTooSmall.pem ├── oldSubSmall.pem ├── oldSubTooSmall.pem ├── onionSANBadServDescHashMismatch.pem ├── onionSANBadServDescInvalidUTF8OnionURI.pem ├── onionSANBadServDescUnknownHashAlg.pem ├── onionSANEV.pem ├── onionSANEVBefore201.pem ├── onionSANGoodExpiry.pem ├── onionSANGoodServDesc.pem ├── onionSANLongExpiry.pem ├── onionSANLongExpiryPreBallot.pem ├── onionSANMissingServDescHash.pem ├── onionSANNotEV.pem ├── onionSANTooManyServDesc.pem ├── onionSANv2NameEV.pem ├── onionSANv2NameInvalidEV.pem ├── onionSANv2NameNonEV.pem ├── onionSANv3Name.pem ├── onionV3AndDNS.pem ├── onlyHostConstraintFQDN.pem ├── orgNoBoth.pem ├── orgNoCountry.pem ├── orgNoLocal.pem ├── orgNoProv.pem ├── orgValAllBad.pem ├── orgValGoodAllFields.pem ├── orgValGoodNoLocal.pem ├── orgValGoodNoProvince.pem ├── orgValNoCountry.pem ├── orgValNoOrg.pem ├── orgValNoProvinceOrLocal.pem ├── orgYesCountry.pem ├── orgid_subj_and_ext_ko_01.pem ├── orgid_subj_and_ext_ko_02.pem ├── orgid_subj_and_ext_ko_03.pem ├── orgid_subj_and_ext_ok_01.pem ├── orgid_subj_and_ext_ok_02.pem ├── orgid_subj_and_ext_ok_03.pem ├── orgid_subj_and_ext_ok_04.pem ├── orgid_subj_and_ext_ok_05.pem ├── orgid_subj_and_ext_ok_06.pem ├── orgunit_in_ca_ko1.pem ├── orgunit_in_ca_ok1.pem ├── orgunit_in_ca_ok2.pem ├── orgunit_in_ca_ok3.pem ├── orgunit_in_ca_ok4.pem ├── ouAbsentAfterSep22.pem ├── ouPresentAfterSep22.pem ├── ouPresentBeforeSep22.pem ├── ouPresentCATrueAfterSep22.pem ├── pass_subject_key_identifier_not_recommended_subscriber.pem ├── pdsAllHttps.pem ├── pdsOneHttp.pem ├── permConstraintNotFQDN.pem ├── policyConstEmpty.pem ├── policyConstGoodBoth.pem ├── policyConstGoodOnlyExplicit.pem ├── policyConstGoodOnlyInhibit.pem ├── policyConstNotCritical.pem ├── policyMapAnyPolNotAsserted.pem ├── policyMapFromAnyPolicy.pem ├── policyMapGood.pem ├── policyMapIssuerNotInCertPolicy.pem ├── policyMapNotCritical.pem ├── policyMapToAnyPolicy.pem ├── policyQualifiersOtherThanCpsNotPermittedError.pem ├── policyQualifiersOtherThanCpsNotPermittedNotApplicable.pem ├── policyQualifiersOtherThanCpsNotPermittedValid.pem ├── postalNoOrg.pem ├── postalYesOrg.pem ├── precert_with_sct_list_ko.pem ├── precert_with_sct_list_na1.pem ├── precert_with_sct_list_na2.pem ├── precert_with_sct_list_ok.pem ├── provNoOrg.pem ├── provYesOrg.pem ├── publicKeyIsECCP256WithCorrectEncoding.pem ├── publicKeyIsECCP384WithCorrectEncoding.pem ├── publicKeyIsECCP521WithCorrectEncoding.pem ├── publicKeyIsRSAExplicitNullMissing.pem ├── publicKeyIsRSAWithCorrectEncoding.pem ├── qcLegal.pem ├── qcSmimeLegal.pem ├── qcSmimeNatural.pem ├── qcSmimeWeb.pem ├── rootCAKeyUsageMissing.pem ├── rootCAKeyUsageNotCritical.pem ├── rootCAKeyUsagePresent.pem ├── rootCANoKeyIdentifiers.pem ├── rootCAValid.pem ├── rootCAWithCertPolicy.pem ├── rootCAWithEKU.pem ├── rootCAWithEKUCertPolicy.pem ├── rootCAWithKeyIdentifiers.pem ├── rootCaMaxPathLenMissing.pem ├── rootCaMaxPathLenPresent.pem ├── rsaAlgIDNoNULLParams.pem ├── rsaFermatFactorizationSusceptible.pem ├── rsaKeyWithParameters.pem ├── rsaSigAlgoNoNULLParam.pem ├── rsassapssInSPKI.pem ├── rsassapssWithSHA256.pem ├── rsassapssWithSHA256ButIrregularSaltLength.pem ├── rsassapssWithSHA256EmptyHashParams.pem ├── rsassapssWithSHA384.pem ├── rsassapssWithSHA384EmptyHashParams.pem ├── rsassapssWithSHA512.pem ├── rsassapssWithSHA512EmptyHashParams.pem ├── rsawithsha1after2016.pem ├── rsawithsha1before2016.pem ├── sanPrivatePublicSuffix.pem ├── serialNumberLarge.pem ├── serialNumberLargeDueToSignedMSB.pem ├── serialNumberNegative.pem ├── serialNumberValid.pem ├── serialNumberZero.pem ├── sha1ExpireAfter2017.pem ├── sha1ExpirePrior2017.pem ├── sha1WithRSASignatureAlgorithm.pem ├── sha256WithRSAPSSSignatureAlgorithm.pem ├── siaCrit.pem ├── siaNotCrit.pem ├── skiCritical.pem ├── skiCriticalCA.pem ├── skiNotCriticalCA.pem ├── smime │ ├── MailboxAddressFromSAN │ │ ├── NotApplicable.pem │ │ ├── NotEffective.pem │ │ ├── WithOnlySANEmail.pem │ │ ├── WithOnlySANOtherName.pem │ │ ├── WithOtherNameIncorrectType.pem │ │ ├── WithOtherNameMatched.pem │ │ ├── WithOtherNameUnmatched.pem │ │ ├── WithSANEmailMatched.pem │ │ ├── WithSANEmailUnmatched.pem │ │ ├── sponsorValidatedMultipurposeEmailInSubjectNotInSAN.pem │ │ └── sponsorValidatedMultipurposePersonalNameInCN.pem │ ├── aiaWithIPAddress.pem │ ├── aiaWithInternalNamesCaIssuersStrict.pem │ ├── aiaWithInternalNamesLegacy.pem │ ├── aiaWithInternalNamesStrict.pem │ ├── aiaWithLDAPOCSPStrict.pem │ ├── aiaWithValidNamesLegacy.pem │ ├── aiaWithValidNamesStrict.pem │ ├── authority_key_identifier_invalid.pem │ ├── authority_key_identifier_valid.pem │ ├── domainValidatedWithEmailCommonName.pem │ ├── e_smime_qc_statements_must_not_be_critical_fail.pem │ ├── e_smime_qc_statements_must_not_be_critical_pass.pem │ ├── ec_legacy_digital_signature_key_agreement_content_commitment_decipher_only_ku.pem │ ├── ec_legacy_digital_signature_ku.pem │ ├── ec_legacy_key_agreement_cert_sign_ku.pem │ ├── ec_legacy_key_agreement_encipher_only_ku.pem │ ├── ec_multipurpose_digital_signature_content_commitment_ku.pem │ ├── ec_multipurpose_digital_signature_key_agreement_cert_sign_ku.pem │ ├── ec_multipurpose_key_agreement_decipher_only.pem │ ├── ec_multipurpose_valid_ku_august_2023.pem │ ├── ec_no_key_usages.pem │ ├── ec_strict_cert_sign_ku.pem │ ├── ec_strict_digital_signature_cert_sign_ku.pem │ ├── ec_strict_digital_signature_key_agreement_content_commitment_encipher_only_ku.pem │ ├── ec_strict_key_agreement_ku.pem │ ├── ed25519_legacy_digital_signature_ku.pem │ ├── ed25519_multipurpose_digital_signature_content_commitment_ku.pem │ ├── ed25519_strict_cert_sign_ku.pem │ ├── ed25519_strict_valid_ku_august_2023.pem │ ├── email_with_multiple_values.pem │ ├── individualValidatedLegacyWithCriticalAdobeArchRevInfoExtension.pem │ ├── individualValidatedStrictWithServerAuthEKU.pem │ ├── individual_validated_with_lei.pem │ ├── individual_validated_with_matching_country.pem │ ├── legacyAiaLdapOnly.pem │ ├── legacyAiaOneHTTPOneLdap.pem │ ├── legacy_subscriber_with_mixed_crl_distribution_points.pem │ ├── legacy_subscriber_with_non_http_crl_distribution_point.pem │ ├── mailboxValidatedLegacyWithCommonName.pem │ ├── mailboxValidatedLegacyWithCommonNameMay2023.pem │ ├── mailboxValidatedLegacyWithCountryName.pem │ ├── mailboxValidatedLegacyWithNonCriticalAdobeTimeStampExtension.pem │ ├── mailboxValidatedLegacyWithoutEmailProtectionEKU.pem │ ├── mailboxValidatedMultipurposeWithCommonName.pem │ ├── mailboxValidatedMultipurposeWithNonsenseSubjectField.pem │ ├── mailboxValidatedStrictMay2023.pem │ ├── mailboxValidatedStrictWithCommonName.pem │ ├── mailboxValidatedStrictWithoutAdobeExtensions.pem │ ├── mailbox_validated_common_name_absent.pem │ ├── mailbox_validated_common_name_bad_email.pem │ ├── mailbox_validated_common_name_good_email.pem │ ├── mailbox_validated_with_lei.pem │ ├── multiple_email_present.pem │ ├── multipurposeWithSubjectDirectoryAttributes.pem │ ├── noEmailAddressInSubjectDN.pem │ ├── no_email_present.pem │ ├── oneEmailAddressInSubjectDN.pem │ ├── organizationValidatedLegacyWithAdobeTimeStampExtensionMay2023.pem │ ├── organizationValidatedMultipurposeWithNonCriticalAdobeArchRevInfoExtension.pem │ ├── organizationValidatedMultipurposeWithServerAuthEKU.pem │ ├── organizationValidatedStrictWithAdobeTimeStampExtension.pem │ ├── organization_validated_with_incorrect_format_identifier.pem │ ├── organization_validated_with_lei_critical.pem │ ├── organization_validated_with_lei_role.pem │ ├── organization_validated_with_matching_country.pem │ ├── organization_validated_with_non_matching_country.pem │ ├── organization_validatged_with_no_country_specified.pem │ ├── rsa_legacy_digital_signature_cert_sign_ku.pem │ ├── rsa_legacy_digital_signature_key_encipherment_cert_sign_ku.pem │ ├── rsa_legacy_digital_signature_key_encipherment_content_commitment_data_encipherment_ku.pem │ ├── rsa_legacy_digital_signature_ku.pem │ ├── rsa_legacy_key_encipherment_ku.pem │ ├── rsa_multipurpose_cert_sign_ku.pem │ ├── rsa_multipurpose_digital_signature_content_commitment_ku.pem │ ├── rsa_multipurpose_key_encipherment_cert_sign_ku.pem │ ├── rsa_multipurpose_key_encipherment_data_encipherment_ku.pem │ ├── rsa_multipurpose_valid_ku_august_2023.pem │ ├── rsa_no_key_usages.pem │ ├── rsa_strict_cert_sign_ku.pem │ ├── rsa_strict_digital_signature_cert_sign_ku.pem │ ├── rsa_strict_digital_signature_content_commitment_ku.pem │ ├── rsa_strict_digital_signature_key_encipherment_cert_sign_ku.pem │ ├── rsa_strict_digital_signature_key_encipherment_content_commitment_ku.pem │ ├── rsa_strict_digital_signature_ku.pem │ ├── rsa_strict_key_encipherment_cert_sign_ku.pem │ ├── rsa_strict_key_encipherment_ku.pem │ ├── rsa_strict_valid_ku_august_2023.pem │ ├── san_critical_non_empty_subject.pem │ ├── san_non_critical_non_empty_subject.pem │ ├── san_not_critical_with_empty_subject.pem │ ├── san_not_critical_with_subject.pem │ ├── single_email_present.pem │ ├── sponsorValidatedMultipurposeWithCriticalAdobeTimeStampExtension.pem │ ├── sponsorValidatedStrictWithAdobeArchRevInfoExtension.pem │ ├── sponsor_validated_with_lei_critical.pem │ ├── sponsor_validated_with_lei_role_critical.pem │ ├── sponsor_validated_with_matching_country.pem │ ├── strict_subscriber_with_http_crl_distribution_point.pem │ ├── strict_subscriber_with_mixed_crl_distribution_points.pem │ ├── strict_subscriber_with_non_http_crl_distribution_point.pem │ ├── subject_country_name_invalid.pem │ ├── subject_country_name_valid.pem │ ├── subscriber_no_crl_distribution_points.pem │ ├── subscriber_with_crl_distribution_points.pem │ ├── twoEmailAddressesInSubjectDN.pem │ ├── with_lei_and_gov_organizationidentifier.pem │ ├── with_non_critical_ku_extension.pem │ ├── with_single_int_organizationidentifier.pem │ ├── with_single_lei_organizationidentifier.pem │ ├── with_subject_alternative_name.pem │ ├── with_subject_alternative_name_no_br.pem │ └── without_subject_alternative_name.pem ├── smime_leg0_xx_eff1.pem ├── smime_leg1_iv_eff1.pem ├── smime_leg1_mv_eff1.pem ├── smime_leg1_ov_eff1.pem ├── smime_leg1_sv_eff1.pem ├── smime_leg1_xx_eff0.pem ├── streetAddressCanExist.pem ├── streetAddressCannotExist.pem ├── streetNoOrg.pem ├── streetYesOrg.pem ├── subCAAIACrit.pem ├── subCAAIAMarkedCritical.pem ├── subCAAIAMissing.pem ├── subCAAIAMissingPostCABFBR171.pem ├── subCAAIANotMarkedCritical.pem ├── subCAAIAValid.pem ├── subCAAIAValidPostCABFBR171.pem ├── subCAEKUMissing.pem ├── subCAEKUNotMissing.pem ├── subCAEKUNotValidFields.pem ├── subCAEKUValidFields.pem ├── subCANoSKI.pem ├── subCAWBothURL.pem ├── subCAWCertPolicyCrit.pem ├── subCAWCertPolicyNoCrit.pem ├── subCAWEkuCrit.pem ├── subCAWEkuNoCrit.pem ├── subCAWIssuerURL.pem ├── subCAWNameConstCrit.pem ├── subCAWNameConstNoCrit.pem ├── subCAWNoCertPolicy.pem ├── subCAWNoNameConst.pem ├── subCAWNoURL.pem ├── subCAWNocrlDist.pem ├── subCAWOcspURL.pem ├── subCAWcrlDistCrit.pem ├── subCAWcrlDistNoCrit.pem ├── subCAWithAnyPolicy.pem ├── subCAcrlDistNoURL.pem ├── subCaCrlMissing.pem ├── subCaCrlPresent.pem ├── subCaEmptySubject.pem ├── subCaNoCertPolicy.pem ├── subCaNokeyUsage.pem ├── subCert825DaysOK.pem ├── subCertAIAMarkedCritical.pem ├── subCertAIAMissing.pem ├── subCertAIANotMarkedCritical.pem ├── subCertCountryNameMustAppear.pem ├── subCertEmptySubject.pem ├── subCertIsCA.pem ├── subCertIsNotCA.pem ├── subCertLocalityNameDoesNotNeedToAppear.pem ├── subCertLocalityNameMustAppear.pem ├── subCertLocalityNameNotProhibited.pem ├── subCertLocalityNameProhibited.pem ├── subCertNoCertPolicy.pem ├── subCertNoKeyUsage.pem ├── subCertNoSKI.pem ├── subCertOver825DaysBad.pem ├── subCertOver825DaysOK.pem ├── subCertPathLenNegative.pem ├── subCertPathLenPositive.pem ├── subCertPolicyCrit.pem ├── subCertPolicyMissing.pem ├── subCertPolicyNoCrit.pem ├── subCertPostalCodeNotProhibited.pem ├── subCertPostalCodeProhibited.pem ├── subCertProvinceCanAppear.pem ├── subCertProvinceMustNotAppear.pem ├── subCertProvinceNotProhibited.pem ├── subCertProvinceProhibited.pem ├── subCertValidTimeGood.pem ├── subCertValidTimeTooLong.pem ├── subCertWBothURL.pem ├── subCertWIssuerURL.pem ├── subCertWNoURL.pem ├── subCertWOcspURL.pem ├── subCrlDistCrit.pem ├── subCrlDistNoCrit.pem ├── subCrlDistNoURL.pem ├── subCrlDistURL.pem ├── subCrlDistURLInCompoundFullName.pem ├── subDirAttCritical.pem ├── subExtKeyUSageServerAndClientAuth.pem ├── subExtKeyUsageClient.pem ├── subExtKeyUsageClientAuth.pem ├── subExtKeyUsageClientAuthPreBRv2.pem ├── subExtKeyUsageCodeSign.pem ├── subExtKeyUsageMissing.pem ├── subExtKeyUsageServ.pem ├── subExtKeyUsageServClient.pem ├── subExtKeyUsageServClientEmail.pem ├── subExtKeyUsageServClientEmailCodeSign.pem ├── subExtKeyUsageServerAuth.pem ├── subExtKeyUsageServerAuthAndPreCertSigCert.pem ├── subExtKeyUsageServerAuthAndTimeStamping.pem ├── subExtKeyUsageServerAuthAndUnknown.pem ├── subKeyUsageInvalid.pem ├── subKeyUsageValid.pem ├── subjectBusinessCategoryCorrectEncoding.pem ├── subjectBusinessCategoryWrongEncoding.pem ├── subjectCCorrectEncoding.pem ├── subjectCNCorrectEncoding.pem ├── subjectCNWrongEncoding.pem ├── subjectCWrongEncoding.pem ├── subjectCommonNameLengthGood.pem ├── subjectCommonNameLong.pem ├── subjectCommonNamePrintableStringBadAlpha.pem ├── subjectDCCorrectEncoding.pem ├── subjectDCWrongEncoding.pem ├── subjectDNLeadingSpace.pem ├── subjectDNNotPrintableCharacters.pem ├── subjectDNNotPrintableCharsUTF8.pem ├── subjectDNTrailingSpace.pem ├── subjectDnWithDeprecatedOuEntry.pem ├── subjectDnWithOuEntryButWithoutOEntry.pem ├── subjectDnWithoutOuEntry.pem ├── subjectEmailPresent.pem ├── subjectEmptyNoSAN.pem ├── subjectGivenName.pem ├── subjectGivenNameCorrectEncoding.pem ├── subjectGivenNameToolLong.pem ├── subjectGivenNameWrongEncoding.pem ├── subjectGoodIP.pem ├── subjectInvalidCountry.pem ├── subjectLCorrectEncoding.pem ├── subjectLWrongEncoding.pem ├── subjectLocalityNameLengthGood.pem ├── subjectLocalityNameLong.pem ├── subjectOCorrectEncoding.pem ├── subjectOUCorrectEncoding.pem ├── subjectOUWrongEncoding.pem ├── subjectOWrongEncoding.pem ├── subjectOrganizationIdentifierCorrectEncoding.pem ├── subjectOrganizationIdentifierWrongEncoding.pem ├── subjectOrganizationNameLengthGood.pem ├── subjectOrganizationNameLong.pem ├── subjectOrganizationalUnitNameLengthGood.pem ├── subjectOrganizationalUnitNameLong.pem ├── subjectPostalCode.pem ├── subjectPostalCodeCorrectEncoding.pem ├── subjectPostalCodeTooLong.pem ├── subjectPostalCodeWrongEncoding.pem ├── subjectRDNSIPv4BadIP.pem ├── subjectRDNSIPv4GoodIP.pem ├── subjectRDNSIPv4ReservedIP.pem ├── subjectRDNSIPv4TooFewLabels.pem ├── subjectRDNSIPv6BadIP.pem ├── subjectRDNSIPv6GoodIP.pem ├── subjectRDNSIPv6ReservedIP.pem ├── subjectRDNSIPv6TooFewLabels.pem ├── subjectRDNTwoAttribute.pem ├── subjectReservedIP.pem ├── subjectReservedIP6.pem ├── subjectSTCorrectEncoding.pem ├── subjectSTWrongEncoding.pem ├── subjectSerialNumberCorrectEncoding.pem ├── subjectSerialNumberWrongEncoding.pem ├── subjectStateNameLengthGood.pem ├── subjectStateNameLong.pem ├── subjectStreetAddress.pem ├── subjectStreetAddressTooLong.pem ├── subjectStreetCorrectEncoding.pem ├── subjectStreetWrongEncoding.pem ├── subjectSurname.pem ├── subjectSurnameCorrectEncoding.pem ├── subjectSurnameTooLong.pem ├── subjectSurnameWrongEncoding.pem ├── subjectUID.pem ├── subjectValidCountry.pem ├── subjectWithOandOUAfterEffectiveDate.pem ├── subjectWithOandOUBeforeEffectiveDate.pem ├── subjectWithSingleQuote.pem ├── subject_rdn_order_ko_01.pem ├── subject_rdn_order_ko_02.pem ├── subject_rdn_order_ko_03.pem ├── subject_rdn_order_ko_04.pem ├── subject_rdn_order_ko_05.pem ├── subject_rdn_order_ko_06.pem ├── subject_rdn_order_ko_07.pem ├── subject_rdn_order_ok_01.pem ├── subject_rdn_order_ok_02.pem ├── subject_rdn_order_ok_03.pem ├── subject_rdn_order_ok_04.pem ├── subject_rdn_order_ok_05.pem ├── subject_rdn_order_ok_06.pem ├── subject_rdn_order_ok_07.pem ├── subjectjurCCorrectEncoding.pem ├── subjectjurCWrongEncoding.pem ├── subjectjurLCorrectEncoding.pem ├── subjectjurLWrongEncoding.pem ├── subjectjurSTCorrectEncoding.pem ├── subjectjurSTWrongEncoding.pem ├── surnameCorrectPolicy.pem ├── surnameIncorrectPolicy.pem ├── surnameOver32768.pem ├── surnameOver64.pem ├── surnameUnder64.pem ├── trustwaveP256CASuperfluousBytesOnKU.pem ├── trustwaveP384CASuperfluousBytesOnKU.pem ├── uniqueIdVersion1.pem ├── uniqueIdVersion3.pem ├── unknownpublickey.pem ├── unsupportedAccessMethod.pem ├── userNoticeExpTextNotIA5String.pem ├── userNoticeExpTextUtf8.pem ├── userNoticeMissing.pem ├── userNoticePres.pem ├── userNoticeUnrecommended.pem ├── utcHasSeconds.pem ├── utcNoSeconds.pem ├── utcNotZulu.pem ├── utf8ControlX10.pem ├── utf8ControlX88.pem ├── utf8NoControl.pem ├── utf8_lat1_mixup_ko1.pem ├── utf8_lat1_mixup_ko2.pem ├── utf8_lat1_mixup_ko3.pem ├── utf8_lat1_mixup_ok1.pem ├── validComodo.pem ├── validRsaExpRange.pem ├── validityNegative.pem ├── warn_subject_key_identifier_not_recommended_subscriber.pem ├── withAnyPolicyAndCPSQualifier.pem ├── withAnyPolicyAndNoPolicyQualifiers.pem ├── withAnyPolicyAndUserNoticeQualifier.pem ├── withAnyPolicyWithoutCPSOrUserNoticeQualifier.pem ├── withValidPoliciesRegardingAnyPolicy.pem ├── withinThirdMilestoneLeapYear.pem ├── withoutAnyPolicy.pem ├── yesDN.pem ├── yesNameConstraint.pem ├── yesPubExpRange.pem └── yesRsaLength.pem ├── util ├── algorithm_identifier.go ├── algorithm_identifier_test.go ├── ca.go ├── countries.go ├── cs.go ├── eku.go ├── encodings.go ├── ev.go ├── fqdn.go ├── fqdn_test.go ├── gtld.go ├── gtld_map.go ├── gtld_test.go ├── idna.go ├── idna_test.go ├── ip.go ├── ku.go ├── names.go ├── oid.go ├── onion.go ├── onion_test.go ├── primes.go ├── qc_stmt.go ├── rdn.go ├── san.go ├── smime_policies.go ├── time.go └── time_test.go ├── zlint.go └── zlint_test.go /.github/workflows/go.yml: -------------------------------------------------------------------------------- 1 | name: Go 2 | on: 3 | push: 4 | pull_request: 5 | schedule: 6 | # Run every 12 hours, at the 15 minute mark. E.g. 7 | # 2020-11-29 00:15:00 UTC, 2020-11-29 12:15:00 UTC, 2020-11-30 00:15:00 UTC 8 | - cron: '15 */12 * * *' 9 | jobs: 10 | 11 | build: 12 | name: Build and Unit Test 13 | runs-on: ubuntu-latest 14 | steps: 15 | 16 | - name: Set up Go 17 | uses: actions/setup-go@v2 18 | with: 19 | go-version: ^1.18 20 | 21 | - name: Check out code 22 | uses: actions/checkout@v2 23 | 24 | - name: Build 25 | run: make 26 | working-directory: v3 27 | 28 | - name: Test 29 | run: make test 30 | working-directory: v3 31 | -------------------------------------------------------------------------------- /.github/workflows/golangci-lint.yml: -------------------------------------------------------------------------------- 1 | name: golangci-lint 2 | on: 3 | push: 4 | pull_request: 5 | schedule: 6 | # Run every 12 hours, at the 15 minute mark. E.g. 7 | # 2020-11-29 00:15:00 UTC, 2020-11-29 12:15:00 UTC, 2020-11-30 00:15:00 UTC 8 | - cron: '15 */12 * * *' 9 | jobs: 10 | golangci: 11 | name: Lint Sourcecode 12 | runs-on: ubuntu-latest 13 | steps: 14 | 15 | - name: Check out code 16 | uses: actions/checkout@v2 17 | - name: Install golangci-lint 18 | run: | 19 | VERSION=1.62.0 20 | wget https://github.com/golangci/golangci-lint/releases/download/v${VERSION}/golangci-lint-${VERSION}-linux-amd64.tar.gz 21 | tar zxvf golangci-lint-${VERSION}-linux-amd64.tar.gz 22 | mv golangci-lint-${VERSION}-linux-amd64/golangci-lint . 23 | - name: Run golangci-lint 24 | run: | 25 | cd v3 26 | ../golangci-lint run 27 | -------------------------------------------------------------------------------- /.github/workflows/integration.yml: -------------------------------------------------------------------------------- 1 | name: integration-test 2 | on: 3 | push: 4 | pull_request: 5 | schedule: 6 | # Run every 12 hours, at the 15 minute mark. E.g. 7 | # 2020-11-29 00:15:00 UTC, 2020-11-29 12:15:00 UTC, 2020-11-30 00:15:00 UTC 8 | - cron: '15 */12 * * *' 9 | jobs: 10 | test: 11 | name: Integration Tests 12 | runs-on: ubuntu-latest 13 | steps: 14 | 15 | - name: Set up Go 16 | uses: actions/setup-go@v2 17 | with: 18 | go-version: ^1.18 19 | 20 | - name: Check out code 21 | uses: actions/checkout@v2 22 | 23 | - name: Check for cached integration corpus 24 | uses: actions/cache@v4 25 | with: 26 | path: v3/data 27 | key: ${{ runner.os }}-${{ hashFiles('v3/integration/**') }} 28 | 29 | - name: Run integration tests 30 | run: make integration PARALLELISM=3 31 | working-directory: v3 32 | 33 | - name: Run custom code linters 34 | run: make custom-code-lint 35 | working-directory: v3 36 | -------------------------------------------------------------------------------- /.github/workflows/release.yml: -------------------------------------------------------------------------------- 1 | name: goreleaser 2 | on: 3 | push: 4 | tags: 5 | - v* 6 | jobs: 7 | goreleaser: 8 | name: Publish Release 9 | runs-on: ubuntu-latest 10 | steps: 11 | 12 | - name: Checkout 13 | uses: actions/checkout@v2 14 | with: 15 | fetch-depth: 0 16 | 17 | - name: Set up Go 18 | uses: actions/setup-go@v2 19 | with: 20 | go-version: ^1.18 21 | 22 | - name: Run GoReleaser 23 | uses: goreleaser/goreleaser-action@v2 24 | with: 25 | version: latest 26 | args: release --clean 27 | workdir: v3 28 | env: 29 | GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} 30 | -------------------------------------------------------------------------------- /.github/workflows/testdata-lint.yml: -------------------------------------------------------------------------------- 1 | name: testdata-lint 2 | on: 3 | push: 4 | pull_request: 5 | schedule: 6 | # Run every 12 hours, at the 15 minute mark. E.g. 7 | # 2020-11-29 00:15:00 UTC, 2020-11-29 12:15:00 UTC, 2020-11-30 00:15:00 UTC 8 | - cron: '15 */12 * * *' 9 | jobs: 10 | build: 11 | name: Check Testdata 12 | runs-on: ubuntu-latest 13 | steps: 14 | 15 | - name: Check out code 16 | uses: actions/checkout@v2 17 | 18 | - name: Lint Testdata 19 | run: make testdata-lint 20 | working-directory: v3 21 | -------------------------------------------------------------------------------- /.golangci.yaml: -------------------------------------------------------------------------------- 1 | linters-settings: 2 | gocyclo: 3 | min-complexity: 25 4 | govet: 5 | check-shadowing: false 6 | misspell: 7 | locale: "US" 8 | 9 | linters: 10 | enable-all: true 11 | disable: 12 | - tparallel 13 | - nonamedreturns 14 | - exhaustruct 15 | - stylecheck 16 | - gosec 17 | - dupl 18 | - depguard 19 | - lll 20 | - prealloc 21 | - gocritic 22 | - gochecknoinits 23 | - gochecknoglobals 24 | - godox 25 | - funlen 26 | - wsl 27 | - whitespace 28 | - gocognit 29 | - testpackage 30 | - gofumpt 31 | - exhaustive 32 | - goconst 33 | - godot 34 | - forbidigo 35 | - nlreturn 36 | - ireturn 37 | - paralleltest 38 | - varnamelen 39 | - wrapcheck 40 | - gci 41 | - cyclop 42 | - errorlint 43 | - revive 44 | - errname 45 | - forcetypeassert 46 | - tagliatelle 47 | - nilnil 48 | - mnd 49 | - copyloopvar 50 | - intrange 51 | - err113 52 | 53 | issues: 54 | exclude-rules: 55 | # The existing ETSI lints have some gnarly logic that needs 56 | # simplification/cleanup. For now we skip some linters for this dir. 57 | - path: lints/etsi/ 58 | linters: 59 | - nestif 60 | - gosimple 61 | - path: util/qc_stmt.go 62 | linters: 63 | - nestif 64 | -------------------------------------------------------------------------------- /v3/.goreleaser.yml: -------------------------------------------------------------------------------- 1 | project_name: zlint 2 | before: 3 | hooks: 4 | - go mod tidy 5 | builds: 6 | - 7 | main: ./cmd/zlint/main.go 8 | binary: zlint 9 | env: 10 | - CGO_ENABLED=0 11 | goos: 12 | - linux 13 | - freebsd 14 | - windows 15 | - darwin 16 | goarch: 17 | - amd64 18 | archives: 19 | - 20 | wrap_in_directory: true 21 | name_template: >- 22 | {{- .ProjectName }}_ 23 | {{- .Version }}_ 24 | {{- title .Os }}_ 25 | {{- if eq .Arch "amd64" }}x86_64 26 | {{- else if eq .Arch "386" }}i386 27 | {{- else }}{{ .Arch }}{{ end }} 28 | {{- if .Arm }}v{{ .Arm }}{{ end -}} 29 | snapshot: 30 | name_template: "{{ .Tag }}-next" 31 | release: 32 | draft: true 33 | prerelease: auto 34 | -------------------------------------------------------------------------------- /v3/cmd/genTestCerts/go.mod: -------------------------------------------------------------------------------- 1 | module github.com/zmap/zlint/v3/cmd/genTestCerts 2 | 3 | go 1.23.0 4 | 5 | toolchain go1.23.6 6 | 7 | replace github.com/zmap/zlint/v3 => ../../ 8 | 9 | require ( 10 | github.com/zmap/zcrypto v0.0.0-20250129210703-03c45d0bae98 11 | github.com/zmap/zlint/v3 v3.6.5 12 | ) 13 | 14 | require ( 15 | github.com/weppos/publicsuffix-go v0.40.3-0.20250127173806-e489a31678ca // indirect 16 | golang.org/x/crypto v0.36.0 // indirect 17 | golang.org/x/net v0.38.0 // indirect 18 | golang.org/x/text v0.23.0 // indirect 19 | ) 20 | -------------------------------------------------------------------------------- /v3/cmd/gen_test_crl/go.mod: -------------------------------------------------------------------------------- 1 | module github.com/zmap/zlint/v3/cmd/gen_test_crl 2 | 3 | go 1.23.0 4 | 5 | toolchain go1.23.6 6 | 7 | replace github.com/zmap/zlint/v3 => ../../ 8 | 9 | require ( 10 | github.com/sirupsen/logrus v1.9.3 11 | github.com/zmap/zcrypto v0.0.0-20250129210703-03c45d0bae98 12 | github.com/zmap/zlint/v3 v3.6.5 13 | ) 14 | 15 | require ( 16 | github.com/weppos/publicsuffix-go v0.40.3-0.20250127173806-e489a31678ca // indirect 17 | golang.org/x/crypto v0.36.0 // indirect 18 | golang.org/x/net v0.38.0 // indirect 19 | golang.org/x/sys v0.31.0 // indirect 20 | golang.org/x/text v0.23.0 // indirect 21 | ) 22 | -------------------------------------------------------------------------------- /v3/cmd/zlint/config.toml: -------------------------------------------------------------------------------- 1 | 2 | [AppleRootStorePolicyConfig] 3 | 4 | [CABFBaselineRequirementsConfig] 5 | 6 | [CABFEVGuidelinesConfig] 7 | 8 | [CommunityConfig] 9 | 10 | [MozillaRootStorePolicyConfig] 11 | 12 | [RFC5280Config] 13 | 14 | [RFC5480Config] 15 | 16 | [RFC5891Config] 17 | 18 | [e_rsa_fermat_factorization] 19 | Rounds = 0 20 | -------------------------------------------------------------------------------- /v3/go.mod: -------------------------------------------------------------------------------- 1 | module github.com/zmap/zlint/v3 2 | 3 | go 1.23.0 4 | 5 | toolchain go1.23.6 6 | 7 | require ( 8 | github.com/kr/text v0.2.0 // indirect 9 | github.com/pelletier/go-toml v1.9.5 10 | github.com/sirupsen/logrus v1.9.3 11 | github.com/zmap/zcrypto v0.0.0-20250129210703-03c45d0bae98 12 | golang.org/x/crypto v0.36.0 13 | golang.org/x/net v0.38.0 14 | golang.org/x/text v0.23.0 15 | ) 16 | 17 | require ( 18 | github.com/weppos/publicsuffix-go v0.40.3-0.20250127173806-e489a31678ca // indirect 19 | golang.org/x/sys v0.31.0 // indirect 20 | ) 21 | -------------------------------------------------------------------------------- /v3/integration/certByFP.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash -e 2 | 3 | cd "$(dirname "$0")" 4 | 5 | DATA="../data/*.csv" 6 | 7 | row=$(grep "$1" $DATA) 8 | 9 | echo "$row" | \ 10 | awk -F "," '{print $(NF-1)}' | \ 11 | base64 -d | \ 12 | openssl x509 -inform DER -outform PEM -text 13 | 14 | echo "" 15 | echo "+ View on Censys: https://censys.io/certificates/$1" 16 | echo "" 17 | -------------------------------------------------------------------------------- /v3/integration/lints/README.md: -------------------------------------------------------------------------------- 1 | # Linting the Linter 2 | 3 | This directory contains a collection of Golang code linters that are intended to be very specific to ZLint itself. 4 | 5 | # Running 6 | 7 | ```bash 8 | go run main.go 9 | ``` 10 | 11 | The linter will walk the given directory recursively and attempt to parse and lint each Go file it comes accross. 12 | 13 | In order to extend this custom linter, write a new Go file in the `lints` directory which contains a struct that implements the following interface. 14 | 15 | # Extending 16 | 17 | ```go 18 | type Lint interface { 19 | Lint(tree *ast.File, file *File) *Result 20 | CheckApplies(tree *ast.File, file *File) bool 21 | } 22 | ``` 23 | 24 | Then go in to `main.go` and add a pointer to your lint to the `Linters` slice. 25 | 26 | ```go 27 | var Linters = []lint.Lint{ 28 | &lints.InitFirst{}, 29 | &lints.MySuperCoolLint{} 30 | } 31 | ``` 32 | -------------------------------------------------------------------------------- /v3/integration/lints/filters/files.go: -------------------------------------------------------------------------------- 1 | package filters 2 | 3 | /* 4 | * ZLint Copyright 2024 Regents of the University of Michigan 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); you may not 7 | * use this file except in compliance with the License. You may obtain a copy 8 | * of the License at http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 13 | * implied. See the License for the specific language governing 14 | * permissions and limitations under the License. 15 | */ 16 | 17 | import ( 18 | "strings" 19 | 20 | "github.com/zmap/zlint/v3/integration/lints/lint" 21 | ) 22 | 23 | func IsALint(file *lint.File) bool { 24 | return strings.HasPrefix(file.Name, "lint_") && IsAGoFile(file) && !IsATest(file) 25 | } 26 | 27 | func IsAGoFile(file *lint.File) bool { 28 | return strings.HasSuffix(file.Name, ".go") 29 | } 30 | 31 | func IsATest(file *lint.File) bool { 32 | return strings.HasSuffix(file.Name, "test.go") 33 | } 34 | -------------------------------------------------------------------------------- /v3/integration/lints/lints/register_lint_deprecated_test.go: -------------------------------------------------------------------------------- 1 | package lints 2 | 3 | import ( 4 | "testing" 5 | 6 | "github.com/zmap/zlint/v3/integration/lints/lint" 7 | ) 8 | 9 | func TestRegisterLintDeprecated_Lint(t *testing.T) { 10 | 11 | data := []struct { 12 | inputFile string 13 | expectPass bool 14 | }{ 15 | {inputFile: "testdata/lint_usesRegisterLint.go", expectPass: false}, 16 | {inputFile: "testdata/lint_usesRegisterCertificateLint.go", expectPass: true}, 17 | {inputFile: "testdata/lint_usesRegisterProfile.go", expectPass: true}, 18 | {inputFile: "testdata/lint_usesRegisterRevocationListLint.go", expectPass: true}, 19 | } 20 | l := &RegisterLintDeprecated{} 21 | for _, test := range data { 22 | file := test.inputFile 23 | want := test.expectPass 24 | t.Run(file, func(t *testing.T) { 25 | r, err := lint.RunLintForFile(file, l) 26 | if err != nil { 27 | t.Fatal(err) 28 | } 29 | if want && r != nil { 30 | t.Errorf("got unexepcted error result, %s", r) 31 | } else if !want && r == nil { 32 | t.Errorf("expected failure but got nothing") 33 | } 34 | }) 35 | } 36 | } 37 | -------------------------------------------------------------------------------- /v3/integration/lints/lints/testdata/lint_initializeFirst.go: -------------------------------------------------------------------------------- 1 | package testdata 2 | 3 | /* 4 | * ZLint Copyright 2024 Regents of the University of Michigan 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); you may not 7 | * use this file except in compliance with the License. You may obtain a copy 8 | * of the License at http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 13 | * implied. See the License for the specific language governing 14 | * permissions and limitations under the License. 15 | */ 16 | 17 | func init() {} 18 | 19 | //nolint:staticcheck 20 | type initializeFirstTest struct{} 21 | 22 | func (i *initializeFirstTest) Initialize() error { 23 | return nil 24 | } 25 | -------------------------------------------------------------------------------- /v3/integration/lints/lints/testdata/lint_initializeFirstNoFunctions.go: -------------------------------------------------------------------------------- 1 | package testdata 2 | 3 | /* 4 | * ZLint Copyright 2024 Regents of the University of Michigan 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); you may not 7 | * use this file except in compliance with the License. You may obtain a copy 8 | * of the License at http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 13 | * implied. See the License for the specific language governing 14 | * permissions and limitations under the License. 15 | */ 16 | 17 | const initializeFirstString = "this is not the greatest song in the world" 18 | -------------------------------------------------------------------------------- /v3/integration/lints/lints/testdata/lint_initializeNotFirst.go: -------------------------------------------------------------------------------- 1 | package testdata 2 | 3 | /* 4 | * ZLint Copyright 2024 Regents of the University of Michigan 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); you may not 7 | * use this file except in compliance with the License. You may obtain a copy 8 | * of the License at http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 13 | * implied. See the License for the specific language governing 14 | * permissions and limitations under the License. 15 | */ 16 | 17 | func initializeNotFirst() {} 18 | 19 | type initializeNotFirstTest struct{} 20 | 21 | func (i *initializeNotFirstTest) Initialize() error { 22 | return nil 23 | } 24 | 25 | func init() {} 26 | -------------------------------------------------------------------------------- /v3/integration/lints/lints/testdata/lint_usesRegisterCertificateLint.go: -------------------------------------------------------------------------------- 1 | package testdata 2 | 3 | import "github.com/zmap/zlint/v3/lint" 4 | 5 | /* 6 | * ZLint Copyright 2024 Regents of the University of Michigan 7 | * 8 | * Licensed under the Apache License, Version 2.0 (the "License"); you may not 9 | * use this file except in compliance with the License. You may obtain a copy 10 | * of the License at http://www.apache.org/licenses/LICENSE-2.0 11 | * 12 | * Unless required by applicable law or agreed to in writing, software 13 | * distributed under the License is distributed on an "AS IS" BASIS, 14 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 15 | * implied. See the License for the specific language governing 16 | * permissions and limitations under the License. 17 | */ 18 | 19 | func init() { 20 | lint.RegisterCertificateLint(nil) 21 | } 22 | -------------------------------------------------------------------------------- /v3/integration/lints/lints/testdata/lint_usesRegisterLint.go: -------------------------------------------------------------------------------- 1 | package testdata 2 | 3 | import "github.com/zmap/zlint/v3/lint" 4 | 5 | /* 6 | * ZLint Copyright 2024 Regents of the University of Michigan 7 | * 8 | * Licensed under the Apache License, Version 2.0 (the "License"); you may not 9 | * use this file except in compliance with the License. You may obtain a copy 10 | * of the License at http://www.apache.org/licenses/LICENSE-2.0 11 | * 12 | * Unless required by applicable law or agreed to in writing, software 13 | * distributed under the License is distributed on an "AS IS" BASIS, 14 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 15 | * implied. See the License for the specific language governing 16 | * permissions and limitations under the License. 17 | */ 18 | 19 | func init() { 20 | lint.RegisterLint(nil) 21 | } 22 | -------------------------------------------------------------------------------- /v3/integration/lints/lints/testdata/lint_usesRegisterProfile.go: -------------------------------------------------------------------------------- 1 | package testdata 2 | 3 | import "github.com/zmap/zlint/v3/lint" 4 | 5 | /* 6 | * ZLint Copyright 2024 Regents of the University of Michigan 7 | * 8 | * Licensed under the Apache License, Version 2.0 (the "License"); you may not 9 | * use this file except in compliance with the License. You may obtain a copy 10 | * of the License at http://www.apache.org/licenses/LICENSE-2.0 11 | * 12 | * Unless required by applicable law or agreed to in writing, software 13 | * distributed under the License is distributed on an "AS IS" BASIS, 14 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 15 | * implied. See the License for the specific language governing 16 | * permissions and limitations under the License. 17 | */ 18 | 19 | func init() { 20 | lint.RegisterProfile(lint.Profile{}) 21 | } 22 | -------------------------------------------------------------------------------- /v3/integration/lints/lints/testdata/lint_usesRegisterRevocationListLint.go: -------------------------------------------------------------------------------- 1 | package testdata 2 | 3 | import "github.com/zmap/zlint/v3/lint" 4 | 5 | /* 6 | * ZLint Copyright 2024 Regents of the University of Michigan 7 | * 8 | * Licensed under the Apache License, Version 2.0 (the "License"); you may not 9 | * use this file except in compliance with the License. You may obtain a copy 10 | * of the License at http://www.apache.org/licenses/LICENSE-2.0 11 | * 12 | * Unless required by applicable law or agreed to in writing, software 13 | * distributed under the License is distributed on an "AS IS" BASIS, 14 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 15 | * implied. See the License for the specific language governing 16 | * permissions and limitations under the License. 17 | */ 18 | 19 | func init() { 20 | lint.RegisterRevocationListLint(nil) 21 | } 22 | -------------------------------------------------------------------------------- /v3/integration/lints/main_test.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | /* 4 | * ZLint Copyright 2024 Regents of the University of Michigan 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); you may not 7 | * use this file except in compliance with the License. You may obtain a copy 8 | * of the License at http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 13 | * implied. See the License for the specific language governing 14 | * permissions and limitations under the License. 15 | */ 16 | 17 | import "testing" 18 | 19 | // `main` has a runner function simply named `run` which takes in a string which is a directory that will be recursively 20 | // searched for Go files to lint. In this particular case, we have some sample Go files under `maintestdata`. 21 | func TestFullRun(t *testing.T) { 22 | results, err := run("testdata") 23 | if err != nil { 24 | t.Error(err) 25 | return 26 | } 27 | if len(results) != 1 { 28 | t.Errorf("expected 1 error, got %d", len(results)) 29 | } 30 | } 31 | -------------------------------------------------------------------------------- /v3/integration/lints/testdata/lint_initFirst.go: -------------------------------------------------------------------------------- 1 | package testdata 2 | 3 | /* 4 | * ZLint Copyright 2024 Regents of the University of Michigan 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); you may not 7 | * use this file except in compliance with the License. You may obtain a copy 8 | * of the License at http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 13 | * implied. See the License for the specific language governing 14 | * permissions and limitations under the License. 15 | */ 16 | 17 | func init() {} 18 | 19 | type initializeFirstTest struct{} 20 | 21 | func (i *initializeFirstTest) Initialize() error { 22 | return nil 23 | } 24 | -------------------------------------------------------------------------------- /v3/integration/lints/testdata/lint_initializeFirstNoFunctions.go: -------------------------------------------------------------------------------- 1 | package testdata 2 | 3 | /* 4 | * ZLint Copyright 2024 Regents of the University of Michigan 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); you may not 7 | * use this file except in compliance with the License. You may obtain a copy 8 | * of the License at http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 13 | * implied. See the License for the specific language governing 14 | * permissions and limitations under the License. 15 | */ 16 | 17 | const initializeFirstString = "this is not the greatest song in the world" 18 | -------------------------------------------------------------------------------- /v3/integration/lints/testdata/notAGolangFile.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | # 4 | # ZLint Copyright 2024 Regents of the University of Michigan 5 | # 6 | # Licensed under the Apache License, Version 2.0 (the "License"); you may not 7 | # use this file except in compliance with the License. You may obtain a copy 8 | # of the License at http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 13 | # implied. See the License for the specific language governing 14 | # permissions and limitations under the License. 15 | 16 | echo "You should not be here, computer." 17 | -------------------------------------------------------------------------------- /v3/integration/main_test.go: -------------------------------------------------------------------------------- 1 | package integration 2 | -------------------------------------------------------------------------------- /v3/integration/package.go: -------------------------------------------------------------------------------- 1 | //go:build integration 2 | 3 | // the integration package contains zlint integration tests and supporting test data tools. 4 | package integration 5 | -------------------------------------------------------------------------------- /v3/lints/apple/time.go: -------------------------------------------------------------------------------- 1 | package apple 2 | 3 | import "time" 4 | 5 | // In the context of a root policy update on trusted certificate lifetimes[0] 6 | // Apple provided an unambiguous definition for the length of a day: 7 | // 8 | // "398 days is measured with a day being equal to 86,400 seconds. Any time 9 | // greater than this indicates an additional day of validity." 10 | // 11 | // We provide that value as a constant here for lints to use. 12 | // 13 | // [0]: https://support.apple.com/en-us/HT211025 14 | var appleDayLength = 86400 * time.Second 15 | -------------------------------------------------------------------------------- /v3/lints/cabf_br/lint_ca_country_name_invalid_test.go: -------------------------------------------------------------------------------- 1 | package cabf_br 2 | 3 | /* 4 | * ZLint Copyright 2024 Regents of the University of Michigan 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); you may not 7 | * use this file except in compliance with the License. You may obtain a copy 8 | * of the License at http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 13 | * implied. See the License for the specific language governing 14 | * permissions and limitations under the License. 15 | */ 16 | 17 | import ( 18 | "testing" 19 | 20 | "github.com/zmap/zlint/v3/lint" 21 | "github.com/zmap/zlint/v3/test" 22 | ) 23 | 24 | func TestCaCountryNameInvalid(t *testing.T) { 25 | inputPath := "caInvalCountryCode.pem" 26 | expected := lint.Error 27 | out := test.TestLint("e_ca_country_name_invalid", inputPath) 28 | if out.Status != expected { 29 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 30 | } 31 | } 32 | 33 | func TestCaCountryNameValid(t *testing.T) { 34 | inputPath := "caValCountry.pem" 35 | expected := lint.Pass 36 | out := test.TestLint("e_ca_country_name_invalid", inputPath) 37 | if out.Status != expected { 38 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /v3/lints/cabf_br/lint_ca_crl_sign_not_set_test.go: -------------------------------------------------------------------------------- 1 | package cabf_br 2 | 3 | /* 4 | * ZLint Copyright 2024 Regents of the University of Michigan 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); you may not 7 | * use this file except in compliance with the License. You may obtain a copy 8 | * of the License at http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 13 | * implied. See the License for the specific language governing 14 | * permissions and limitations under the License. 15 | */ 16 | 17 | import ( 18 | "testing" 19 | 20 | "github.com/zmap/zlint/v3/lint" 21 | "github.com/zmap/zlint/v3/test" 22 | ) 23 | 24 | func TestCaKeyUsageNoCRLSign(t *testing.T) { 25 | inputPath := "caKeyUsageNoCRL.pem" 26 | expected := lint.Error 27 | out := test.TestLint("e_ca_crl_sign_not_set", inputPath) 28 | if out.Status != expected { 29 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 30 | } 31 | } 32 | 33 | func TestKeyUsageCRLSign(t *testing.T) { 34 | inputPath := "caKeyUsageCrit.pem" 35 | expected := lint.Pass 36 | out := test.TestLint("e_ca_crl_sign_not_set", inputPath) 37 | if out.Status != expected { 38 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /v3/lints/cabf_br/lint_ca_is_ca_test.go: -------------------------------------------------------------------------------- 1 | package cabf_br 2 | 3 | /* 4 | * ZLint Copyright 2024 Regents of the University of Michigan 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); you may not 7 | * use this file except in compliance with the License. You may obtain a copy 8 | * of the License at http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 13 | * implied. See the License for the specific language governing 14 | * permissions and limitations under the License. 15 | */ 16 | 17 | import ( 18 | "testing" 19 | 20 | "github.com/zmap/zlint/v3/lint" 21 | "github.com/zmap/zlint/v3/test" 22 | ) 23 | 24 | func TestKeyCertSignNotCA(t *testing.T) { 25 | inputPath := "keyCertSignNotCA.pem" 26 | expected := lint.Error 27 | out := test.TestLint("e_ca_is_ca", inputPath) 28 | if out.Status != expected { 29 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 30 | } 31 | } 32 | 33 | func TestKeyCertSignCA(t *testing.T) { 34 | inputPath := "keyCertSignCA.pem" 35 | expected := lint.Pass 36 | out := test.TestLint("e_ca_is_ca", inputPath) 37 | if out.Status != expected { 38 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /v3/lints/cabf_br/lint_ca_key_cert_sign_not_set_test.go: -------------------------------------------------------------------------------- 1 | package cabf_br 2 | 3 | /* 4 | * ZLint Copyright 2024 Regents of the University of Michigan 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); you may not 7 | * use this file except in compliance with the License. You may obtain a copy 8 | * of the License at http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 13 | * implied. See the License for the specific language governing 14 | * permissions and limitations under the License. 15 | */ 16 | 17 | import ( 18 | "testing" 19 | 20 | "github.com/zmap/zlint/v3/lint" 21 | "github.com/zmap/zlint/v3/test" 22 | ) 23 | 24 | func TestCaKeyUsageNoCertSign(t *testing.T) { 25 | inputPath := "caKeyUsageNoCertSign.pem" 26 | expected := lint.Error 27 | out := test.TestLint("e_ca_key_cert_sign_not_set", inputPath) 28 | if out.Status != expected { 29 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 30 | } 31 | } 32 | 33 | func TestKeyUsageCertSign(t *testing.T) { 34 | inputPath := "caKeyUsageCrit.pem" 35 | expected := lint.Pass 36 | out := test.TestLint("e_ca_key_cert_sign_not_set", inputPath) 37 | if out.Status != expected { 38 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /v3/lints/cabf_br/lint_ca_key_usage_missing_test.go: -------------------------------------------------------------------------------- 1 | package cabf_br 2 | 3 | /* 4 | * ZLint Copyright 2024 Regents of the University of Michigan 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); you may not 7 | * use this file except in compliance with the License. You may obtain a copy 8 | * of the License at http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 13 | * implied. See the License for the specific language governing 14 | * permissions and limitations under the License. 15 | */ 16 | 17 | import ( 18 | "testing" 19 | 20 | "github.com/zmap/zlint/v3/lint" 21 | "github.com/zmap/zlint/v3/test" 22 | ) 23 | 24 | func TestCaKeyUsageMissing(t *testing.T) { 25 | inputPath := "caKeyUsageMissing.pem" 26 | expected := lint.Error 27 | out := test.TestLint("e_ca_key_usage_missing", inputPath) 28 | if out.Status != expected { 29 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 30 | } 31 | } 32 | 33 | func TestKeyUsagePresent(t *testing.T) { 34 | inputPath := "caKeyUsageCrit.pem" 35 | expected := lint.Pass 36 | out := test.TestLint("e_ca_key_usage_missing", inputPath) 37 | if out.Status != expected { 38 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /v3/lints/cabf_br/lint_ca_key_usage_not_critical_test.go: -------------------------------------------------------------------------------- 1 | package cabf_br 2 | 3 | /* 4 | * ZLint Copyright 2024 Regents of the University of Michigan 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); you may not 7 | * use this file except in compliance with the License. You may obtain a copy 8 | * of the License at http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 13 | * implied. See the License for the specific language governing 14 | * permissions and limitations under the License. 15 | */ 16 | 17 | import ( 18 | "testing" 19 | 20 | "github.com/zmap/zlint/v3/lint" 21 | "github.com/zmap/zlint/v3/test" 22 | ) 23 | 24 | func TestCaKeyUsageNotCrit(t *testing.T) { 25 | inputPath := "caKeyUsageNotCrit.pem" 26 | expected := lint.Error 27 | out := test.TestLint("e_ca_key_usage_not_critical", inputPath) 28 | if out.Status != expected { 29 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 30 | } 31 | } 32 | 33 | func TestKeyUsageCrit(t *testing.T) { 34 | inputPath := "caKeyUsageCrit.pem" 35 | expected := lint.Pass 36 | out := test.TestLint("e_ca_key_usage_not_critical", inputPath) 37 | if out.Status != expected { 38 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /v3/lints/cabf_br/lint_cab_ov_requires_org_test.go: -------------------------------------------------------------------------------- 1 | package cabf_br 2 | 3 | /* 4 | * ZLint Copyright 2024 Regents of the University of Michigan 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); you may not 7 | * use this file except in compliance with the License. You may obtain a copy 8 | * of the License at http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 13 | * implied. See the License for the specific language governing 14 | * permissions and limitations under the License. 15 | */ 16 | 17 | import ( 18 | "testing" 19 | 20 | "github.com/zmap/zlint/v3/lint" 21 | "github.com/zmap/zlint/v3/test" 22 | ) 23 | 24 | func TestCertPolicyOvHasOrg(t *testing.T) { 25 | inputPath := "orgValGoodAllFields.pem" 26 | expected := lint.Pass 27 | out := test.TestLint("e_cab_ov_requires_org", inputPath) 28 | if out.Status != expected { 29 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 30 | } 31 | } 32 | 33 | func TestCertPolicyOvNoOrg(t *testing.T) { 34 | inputPath := "orgValNoOrg.pem" 35 | expected := lint.Error 36 | out := test.TestLint("e_cab_ov_requires_org", inputPath) 37 | if out.Status != expected { 38 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /v3/lints/cabf_br/lint_dnsname_contains_bare_iana_suffix_test.go: -------------------------------------------------------------------------------- 1 | package cabf_br 2 | 3 | /* 4 | * ZLint Copyright 2024 Regents of the University of Michigan 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); you may not 7 | * use this file except in compliance with the License. You may obtain a copy 8 | * of the License at http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 13 | * implied. See the License for the specific language governing 14 | * permissions and limitations under the License. 15 | */ 16 | 17 | import ( 18 | "testing" 19 | 20 | "github.com/zmap/zlint/v3/lint" 21 | "github.com/zmap/zlint/v3/test" 22 | ) 23 | 24 | func TestIANABareSuffix(t *testing.T) { 25 | inputPath := "dnsNameContainsBareIANASuffix.pem" 26 | expected := lint.Error 27 | out := test.TestLint("e_dnsname_contains_bare_iana_suffix", inputPath) 28 | if out.Status != expected { 29 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 30 | } 31 | } 32 | -------------------------------------------------------------------------------- /v3/lints/cabf_br/lint_dnsname_contains_empty_label_test.go: -------------------------------------------------------------------------------- 1 | package cabf_br 2 | 3 | /* 4 | * ZLint Copyright 2024 Regents of the University of Michigan 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); you may not 7 | * use this file except in compliance with the License. You may obtain a copy 8 | * of the License at http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 13 | * implied. See the License for the specific language governing 14 | * permissions and limitations under the License. 15 | */ 16 | 17 | import ( 18 | "testing" 19 | 20 | "github.com/zmap/zlint/v3/lint" 21 | "github.com/zmap/zlint/v3/test" 22 | ) 23 | 24 | func TestDNSNameEmptyLabel(t *testing.T) { 25 | inputPath := "dnsNameEmptyLabel.pem" 26 | expected := lint.Error 27 | out := test.TestLint("e_dnsname_empty_label", inputPath) 28 | if out.Status != expected { 29 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 30 | } 31 | } 32 | 33 | func TestDNSNameNotEmptyLabel(t *testing.T) { 34 | inputPath := "dnsNameNotEmptyLabel.pem" 35 | expected := lint.Pass 36 | out := test.TestLint("e_dnsname_empty_label", inputPath) 37 | if out.Status != expected { 38 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /v3/lints/cabf_br/lint_dnsname_label_too_long_test.go: -------------------------------------------------------------------------------- 1 | package cabf_br 2 | 3 | /* 4 | * ZLint Copyright 2024 Regents of the University of Michigan 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); you may not 7 | * use this file except in compliance with the License. You may obtain a copy 8 | * of the License at http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 13 | * implied. See the License for the specific language governing 14 | * permissions and limitations under the License. 15 | */ 16 | 17 | import ( 18 | "testing" 19 | 20 | "github.com/zmap/zlint/v3/lint" 21 | "github.com/zmap/zlint/v3/test" 22 | ) 23 | 24 | func TestDNSNameLabelTooLong(t *testing.T) { 25 | inputPath := "dnsNameLabelTooLong.pem" 26 | expected := lint.Error 27 | out := test.TestLint("e_dnsname_label_too_long", inputPath) 28 | if out.Status != expected { 29 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 30 | } 31 | } 32 | -------------------------------------------------------------------------------- /v3/lints/cabf_br/lint_eku_critical_test.go: -------------------------------------------------------------------------------- 1 | package cabf_br 2 | 3 | /* 4 | * ZLint Copyright 2024 Regents of the University of Michigan 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); you may not 7 | * use this file except in compliance with the License. You may obtain a copy 8 | * of the License at http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 13 | * implied. See the License for the specific language governing 14 | * permissions and limitations under the License. 15 | */ 16 | 17 | import ( 18 | "testing" 19 | 20 | "github.com/zmap/zlint/v3/lint" 21 | "github.com/zmap/zlint/v3/test" 22 | ) 23 | 24 | func TestEkuCrit(t *testing.T) { 25 | inputPath := "ekuCrit.pem" 26 | expected := lint.Error 27 | out := test.TestLint("e_eku_critical", inputPath) 28 | if out.Status != expected { 29 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 30 | } 31 | } 32 | 33 | func TestEkuNotCrit(t *testing.T) { 34 | inputPath := "ekuNoCrit.pem" 35 | expected := lint.Pass 36 | out := test.TestLint("e_eku_critical", inputPath) 37 | if out.Status != expected { 38 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /v3/lints/cabf_br/lint_ext_nc_intersects_reserved_ip_test.go: -------------------------------------------------------------------------------- 1 | package cabf_br 2 | 3 | /* 4 | * ZLint Copyright 2024 Regents of the University of Michigan 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); you may not 7 | * use this file except in compliance with the License. You may obtain a copy 8 | * of the License at http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 13 | * implied. See the License for the specific language governing 14 | * permissions and limitations under the License. 15 | */ 16 | 17 | import ( 18 | "testing" 19 | 20 | "github.com/zmap/zlint/v3/lint" 21 | "github.com/zmap/zlint/v3/test" 22 | ) 23 | 24 | func TestNCIPNetReserved(t *testing.T) { 25 | inputPath := "NCReservedIPNet.pem" 26 | expected := lint.Error 27 | out := test.TestLint("e_ext_nc_intersects_reserved_ip", inputPath) 28 | if out.Status != expected { 29 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 30 | } 31 | } 32 | 33 | func TestNCIPNetNotReserved(t *testing.T) { 34 | inputPath := "NCValidIPNet.pem" 35 | expected := lint.Pass 36 | out := test.TestLint("e_ext_nc_intersects_reserved_ip", inputPath) 37 | if out.Status != expected { 38 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /v3/lints/cabf_br/lint_ext_san_missing_test.go: -------------------------------------------------------------------------------- 1 | package cabf_br 2 | 3 | /* 4 | * ZLint Copyright 2024 Regents of the University of Michigan 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); you may not 7 | * use this file except in compliance with the License. You may obtain a copy 8 | * of the License at http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 13 | * implied. See the License for the specific language governing 14 | * permissions and limitations under the License. 15 | */ 16 | 17 | import ( 18 | "testing" 19 | 20 | "github.com/zmap/zlint/v3/lint" 21 | "github.com/zmap/zlint/v3/test" 22 | ) 23 | 24 | func TestNoSAN(t *testing.T) { 25 | inputPath := "subjectEmptyNoSAN.pem" 26 | expected := lint.Error 27 | out := test.TestLint("e_ext_san_missing", inputPath) 28 | if out.Status != expected { 29 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 30 | } 31 | } 32 | 33 | func TestHasSAN(t *testing.T) { 34 | inputPath := "orgValGoodAllFields.pem" 35 | expected := lint.Pass 36 | out := test.TestLint("e_ext_san_missing", inputPath) 37 | if out.Status != expected { 38 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /v3/lints/cabf_br/lint_ext_san_other_name_present_test.go: -------------------------------------------------------------------------------- 1 | package cabf_br 2 | 3 | /* 4 | * ZLint Copyright 2024 Regents of the University of Michigan 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); you may not 7 | * use this file except in compliance with the License. You may obtain a copy 8 | * of the License at http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 13 | * implied. See the License for the specific language governing 14 | * permissions and limitations under the License. 15 | */ 16 | 17 | import ( 18 | "testing" 19 | 20 | "github.com/zmap/zlint/v3/lint" 21 | "github.com/zmap/zlint/v3/test" 22 | ) 23 | 24 | func TestSANOtherNamePresent(t *testing.T) { 25 | inputPath := "SANOtherName.pem" 26 | expected := lint.Error 27 | out := test.TestLint("e_ext_san_other_name_present", inputPath) 28 | if out.Status != expected { 29 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 30 | } 31 | } 32 | 33 | func TestSANOtherNameMissing(t *testing.T) { 34 | inputPath := "SANEDIParty.pem" 35 | expected := lint.Pass 36 | out := test.TestLint("e_ext_san_other_name_present", inputPath) 37 | if out.Status != expected { 38 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /v3/lints/cabf_br/lint_extra_subject_common_names_test.go: -------------------------------------------------------------------------------- 1 | package cabf_br 2 | 3 | import ( 4 | "testing" 5 | 6 | "github.com/zmap/zlint/v3/lint" 7 | "github.com/zmap/zlint/v3/test" 8 | ) 9 | 10 | func TestExtraSubjectCommonNames(t *testing.T) { 11 | testCases := []struct { 12 | Name string 13 | InputFilename string 14 | ExpectedResult lint.LintStatus 15 | }{ 16 | { 17 | Name: "One subject common name", 18 | InputFilename: "commonNamesURL.pem", 19 | ExpectedResult: lint.Pass, 20 | }, 21 | { 22 | Name: "Multiple subject common names", 23 | InputFilename: "extraCommonNames.pem", 24 | ExpectedResult: lint.Warn, 25 | }, 26 | } 27 | 28 | for _, tc := range testCases { 29 | t.Run(tc.Name, func(t *testing.T) { 30 | result := test.TestLint("w_extra_subject_common_names", tc.InputFilename) 31 | if result.Status != tc.ExpectedResult { 32 | t.Errorf("expected result %v was %v", tc.ExpectedResult, result.Status) 33 | } 34 | }) 35 | } 36 | } 37 | -------------------------------------------------------------------------------- /v3/lints/cabf_br/lint_root_ca_extended_key_usage_present_test.go: -------------------------------------------------------------------------------- 1 | package cabf_br 2 | 3 | /* 4 | * ZLint Copyright 2024 Regents of the University of Michigan 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); you may not 7 | * use this file except in compliance with the License. You may obtain a copy 8 | * of the License at http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 13 | * implied. See the License for the specific language governing 14 | * permissions and limitations under the License. 15 | */ 16 | 17 | import ( 18 | "testing" 19 | 20 | "github.com/zmap/zlint/v3/lint" 21 | "github.com/zmap/zlint/v3/test" 22 | ) 23 | 24 | func TestRootCAEKU(t *testing.T) { 25 | inputPath := "rootCAWithEKU.pem" 26 | expected := lint.Error 27 | out := test.TestLint("e_root_ca_extended_key_usage_present", inputPath) 28 | if out.Status != expected { 29 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 30 | } 31 | } 32 | 33 | func TestRootCANoEKU(t *testing.T) { 34 | inputPath := "rootCAValid.pem" 35 | expected := lint.Pass 36 | out := test.TestLint("e_root_ca_extended_key_usage_present", inputPath) 37 | if out.Status != expected { 38 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /v3/lints/cabf_br/lint_rsa_mod_less_than_2048_bits_test.go: -------------------------------------------------------------------------------- 1 | package cabf_br 2 | 3 | /* 4 | * ZLint Copyright 2024 Regents of the University of Michigan 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); you may not 7 | * use this file except in compliance with the License. You may obtain a copy 8 | * of the License at http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 13 | * implied. See the License for the specific language governing 14 | * permissions and limitations under the License. 15 | */ 16 | 17 | import ( 18 | "testing" 19 | 20 | "github.com/zmap/zlint/v3/lint" 21 | "github.com/zmap/zlint/v3/test" 22 | ) 23 | 24 | func TestRsaModSizeSmall(t *testing.T) { 25 | inputPath := "noRsaLength.pem" 26 | expected := lint.Error 27 | out := test.TestLint("e_rsa_mod_less_than_2048_bits", inputPath) 28 | if out.Status != expected { 29 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 30 | } 31 | } 32 | 33 | func TestRsaModSizeNotSmall(t *testing.T) { 34 | inputPath := "yesRsaLength.pem" 35 | expected := lint.Pass 36 | out := test.TestLint("e_rsa_mod_less_than_2048_bits", inputPath) 37 | if out.Status != expected { 38 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /v3/lints/cabf_br/lint_rsa_mod_not_odd_test.go: -------------------------------------------------------------------------------- 1 | package cabf_br 2 | 3 | /* 4 | * ZLint Copyright 2024 Regents of the University of Michigan 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); you may not 7 | * use this file except in compliance with the License. You may obtain a copy 8 | * of the License at http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 13 | * implied. See the License for the specific language governing 14 | * permissions and limitations under the License. 15 | */ 16 | 17 | import ( 18 | "testing" 19 | 20 | "github.com/zmap/zlint/v3/lint" 21 | "github.com/zmap/zlint/v3/test" 22 | ) 23 | 24 | func TestRsaModEven(t *testing.T) { 25 | inputPath := "evenRsaMod.pem" 26 | expected := lint.Warn 27 | out := test.TestLint("w_rsa_mod_not_odd", inputPath) 28 | if out.Status != expected { 29 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 30 | } 31 | } 32 | 33 | func TestRsaModOdd(t *testing.T) { 34 | inputPath := "oddRsaMod.pem" 35 | expected := lint.Pass 36 | out := test.TestLint("w_rsa_mod_not_odd", inputPath) 37 | if out.Status != expected { 38 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /v3/lints/cabf_br/lint_rsa_public_exponent_not_odd_test.go: -------------------------------------------------------------------------------- 1 | package cabf_br 2 | 3 | /* 4 | * ZLint Copyright 2024 Regents of the University of Michigan 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); you may not 7 | * use this file except in compliance with the License. You may obtain a copy 8 | * of the License at http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 13 | * implied. See the License for the specific language governing 14 | * permissions and limitations under the License. 15 | */ 16 | 17 | import ( 18 | "testing" 19 | 20 | "github.com/zmap/zlint/v3/lint" 21 | "github.com/zmap/zlint/v3/test" 22 | ) 23 | 24 | func TestRsaExpEven(t *testing.T) { 25 | inputPath := "badRsaExp.pem" 26 | expected := lint.Error 27 | out := test.TestLint("e_rsa_public_exponent_not_odd", inputPath) 28 | if out.Status != expected { 29 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 30 | } 31 | } 32 | 33 | func TestRsaExpOdd(t *testing.T) { 34 | inputPath := "goodRsaExp.pem" 35 | expected := lint.Pass 36 | out := test.TestLint("e_rsa_public_exponent_not_odd", inputPath) 37 | if out.Status != expected { 38 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /v3/lints/cabf_br/lint_sub_ca_eku_critical_test.go: -------------------------------------------------------------------------------- 1 | package cabf_br 2 | 3 | /* 4 | * ZLint Copyright 2024 Regents of the University of Michigan 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); you may not 7 | * use this file except in compliance with the License. You may obtain a copy 8 | * of the License at http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 13 | * implied. See the License for the specific language governing 14 | * permissions and limitations under the License. 15 | */ 16 | 17 | import ( 18 | "testing" 19 | 20 | "github.com/zmap/zlint/v3/lint" 21 | "github.com/zmap/zlint/v3/test" 22 | ) 23 | 24 | func TestSubCaEkuCrit(t *testing.T) { 25 | inputPath := "subCAWEkuCrit.pem" 26 | expected := lint.Warn 27 | out := test.TestLint("w_sub_ca_eku_critical", inputPath) 28 | if out.Status != expected { 29 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 30 | } 31 | } 32 | 33 | func TestSubCaEkuNotCrit(t *testing.T) { 34 | inputPath := "subCAWEkuNoCrit.pem" 35 | expected := lint.Pass 36 | out := test.TestLint("w_sub_ca_eku_critical", inputPath) 37 | if out.Status != expected { 38 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /v3/lints/cabf_br/lint_sub_ca_eku_missing_test.go: -------------------------------------------------------------------------------- 1 | package cabf_br 2 | 3 | /* 4 | * ZLint Copyright 2024 Regents of the University of Michigan 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); you may not 7 | * use this file except in compliance with the License. You may obtain a copy 8 | * of the License at http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 13 | * implied. See the License for the specific language governing 14 | * permissions and limitations under the License. 15 | */ 16 | 17 | import ( 18 | "testing" 19 | 20 | "github.com/zmap/zlint/v3/lint" 21 | "github.com/zmap/zlint/v3/test" 22 | ) 23 | 24 | func TestSubCaEkuMissing(t *testing.T) { 25 | inputPath := "subCAEKUMissing.pem" 26 | expected := lint.Notice 27 | out := test.TestLint("n_sub_ca_eku_missing", inputPath) 28 | if out.Status != expected { 29 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 30 | } 31 | } 32 | 33 | func TestSubCaEkuNotMissing(t *testing.T) { 34 | inputPath := "subCAWEkuCrit.pem" 35 | expected := lint.Pass 36 | out := test.TestLint("n_sub_ca_eku_missing", inputPath) 37 | if out.Status != expected { 38 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /v3/lints/cabf_br/lint_sub_cert_aia_contains_internal_names_test.go: -------------------------------------------------------------------------------- 1 | package cabf_br 2 | 3 | import ( 4 | "testing" 5 | 6 | "github.com/zmap/zlint/v3/lint" 7 | "github.com/zmap/zlint/v3/test" 8 | ) 9 | 10 | func TestAIAInternalName(t *testing.T) { 11 | testCases := []struct { 12 | Name string 13 | InputFilename string 14 | ExpectedResult lint.LintStatus 15 | }{ 16 | { 17 | Name: "pass - aia with valid names", 18 | InputFilename: "aiaWithValidNames.pem", 19 | ExpectedResult: lint.Pass, 20 | }, 21 | { 22 | Name: "warn - aia with internal names", 23 | InputFilename: "aiaWithInternalNames.pem", 24 | ExpectedResult: lint.Warn, 25 | }, 26 | { 27 | Name: "pass - aia with an IP address", 28 | InputFilename: "aiaWithIP.pem", 29 | ExpectedResult: lint.Pass, 30 | }, 31 | { 32 | Name: "na - aia is not present", 33 | InputFilename: "akiCritical.pem", 34 | ExpectedResult: lint.NA, 35 | }, 36 | } 37 | for _, tc := range testCases { 38 | t.Run(tc.Name, func(t *testing.T) { 39 | result := test.TestLint("w_sub_cert_aia_contains_internal_names", tc.InputFilename) 40 | if result.Status != tc.ExpectedResult { 41 | t.Errorf("expected result %v was %v - details: %v", tc.ExpectedResult, result.Status, result.Details) 42 | } 43 | }) 44 | } 45 | } 46 | -------------------------------------------------------------------------------- /v3/lints/cabf_br/lint_sub_cert_aia_missing_test.go: -------------------------------------------------------------------------------- 1 | package cabf_br 2 | 3 | /* 4 | * ZLint Copyright 2024 Regents of the University of Michigan 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); you may not 7 | * use this file except in compliance with the License. You may obtain a copy 8 | * of the License at http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 13 | * implied. See the License for the specific language governing 14 | * permissions and limitations under the License. 15 | */ 16 | 17 | import ( 18 | "testing" 19 | 20 | "github.com/zmap/zlint/v3/lint" 21 | "github.com/zmap/zlint/v3/test" 22 | ) 23 | 24 | func TestSubCertAiaMissing(t *testing.T) { 25 | inputPath := "subCertWNoURL.pem" 26 | expected := lint.Error 27 | out := test.TestLint("e_sub_cert_aia_missing", inputPath) 28 | if out.Status != expected { 29 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 30 | } 31 | } 32 | 33 | func TestSubCertAiaPresent(t *testing.T) { 34 | inputPath := "subCertWBothURL.pem" 35 | expected := lint.Pass 36 | out := test.TestLint("e_sub_cert_aia_missing", inputPath) 37 | if out.Status != expected { 38 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /v3/lints/cabf_br/lint_sub_cert_country_name_must_appear_test.go: -------------------------------------------------------------------------------- 1 | package cabf_br 2 | 3 | /* 4 | * ZLint Copyright 2024 Regents of the University of Michigan 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); you may not 7 | * use this file except in compliance with the License. You may obtain a copy 8 | * of the License at http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 13 | * implied. See the License for the specific language governing 14 | * permissions and limitations under the License. 15 | */ 16 | 17 | import ( 18 | "testing" 19 | 20 | "github.com/zmap/zlint/v3/lint" 21 | "github.com/zmap/zlint/v3/test" 22 | ) 23 | 24 | func TestSubCertCountryNameMustAppear(t *testing.T) { 25 | inputPath := "subCertCountryNameMustAppear.pem" 26 | expected := lint.Error 27 | out := test.TestLint("e_sub_cert_country_name_must_appear", inputPath) 28 | if out.Status != expected { 29 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 30 | } 31 | } 32 | -------------------------------------------------------------------------------- /v3/lints/cabf_br/lint_sub_cert_eku_missing_test.go: -------------------------------------------------------------------------------- 1 | package cabf_br 2 | 3 | /* 4 | * ZLint Copyright 2024 Regents of the University of Michigan 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); you may not 7 | * use this file except in compliance with the License. You may obtain a copy 8 | * of the License at http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 13 | * implied. See the License for the specific language governing 14 | * permissions and limitations under the License. 15 | */ 16 | 17 | import ( 18 | "testing" 19 | 20 | "github.com/zmap/zlint/v3/lint" 21 | "github.com/zmap/zlint/v3/test" 22 | ) 23 | 24 | func TestEkuMissing(t *testing.T) { 25 | inputPath := "subExtKeyUsageMissing.pem" 26 | expected := lint.Error 27 | out := test.TestLint("e_sub_cert_eku_missing", inputPath) 28 | if out.Status != expected { 29 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 30 | } 31 | } 32 | 33 | func TestEkuPresent(t *testing.T) { 34 | inputPath := "subExtKeyUsageServClient.pem" 35 | expected := lint.Pass 36 | out := test.TestLint("e_sub_cert_eku_missing", inputPath) 37 | if out.Status != expected { 38 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /v3/lints/cabf_br/lint_sub_cert_is_ca_test.go: -------------------------------------------------------------------------------- 1 | package cabf_br 2 | 3 | /* 4 | * ZLint Copyright 2024 Regents of the University of Michigan 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); you may not 7 | * use this file except in compliance with the License. You may obtain a copy 8 | * of the License at http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 13 | * implied. See the License for the specific language governing 14 | * permissions and limitations under the License. 15 | */ 16 | 17 | import ( 18 | "testing" 19 | 20 | "github.com/zmap/zlint/v3/lint" 21 | "github.com/zmap/zlint/v3/test" 22 | ) 23 | 24 | func TestSubCertIsNotCA(t *testing.T) { 25 | inputPath := "subCertIsNotCA.pem" 26 | expected := lint.Pass 27 | out := test.TestLint("e_sub_cert_not_is_ca", inputPath) 28 | if out.Status != expected { 29 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 30 | } 31 | } 32 | 33 | func TestSubCertIsCA(t *testing.T) { 34 | inputPath := "subCertIsCA.pem" 35 | expected := lint.Error 36 | out := test.TestLint("e_sub_cert_not_is_ca", inputPath) 37 | if out.Status != expected { 38 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /v3/lints/cabf_br/lint_subject_common_name_included_sc62_test.go: -------------------------------------------------------------------------------- 1 | package cabf_br 2 | 3 | /* 4 | * ZLint Copyright 2024 Regents of the University of Michigan 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); you may not 7 | * use this file except in compliance with the License. You may obtain a copy 8 | * of the License at http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 13 | * implied. See the License for the specific language governing 14 | * permissions and limitations under the License. 15 | */ 16 | 17 | import ( 18 | "testing" 19 | 20 | "github.com/zmap/zlint/v3/lint" 21 | "github.com/zmap/zlint/v3/test" 22 | ) 23 | 24 | func TestCNSC62(t *testing.T) { 25 | inputPath := "commonNameExistsSC62.pem" 26 | expected := lint.Warn 27 | out := test.TestLint("w_subject_common_name_included", inputPath) 28 | if out.Status != expected { 29 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 30 | } 31 | } 32 | 33 | func TestNoCNSC62(t *testing.T) { 34 | inputPath := "commonNameGoodSC62.pem" 35 | expected := lint.Pass 36 | out := test.TestLint("w_subject_common_name_included", inputPath) 37 | if out.Status != expected { 38 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /v3/lints/cabf_br/lint_subject_common_name_included_test.go: -------------------------------------------------------------------------------- 1 | package cabf_br 2 | 3 | /* 4 | * ZLint Copyright 2024 Regents of the University of Michigan 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); you may not 7 | * use this file except in compliance with the License. You may obtain a copy 8 | * of the License at http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 13 | * implied. See the License for the specific language governing 14 | * permissions and limitations under the License. 15 | */ 16 | 17 | import ( 18 | "testing" 19 | 20 | "github.com/zmap/zlint/v3/lint" 21 | "github.com/zmap/zlint/v3/test" 22 | ) 23 | 24 | func TestCN(t *testing.T) { 25 | inputPath := "commonNamesURL.pem" 26 | expected := lint.Notice 27 | out := test.TestLint("n_subject_common_name_included", inputPath) 28 | if out.Status != expected { 29 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 30 | } 31 | } 32 | 33 | func TestNoCN(t *testing.T) { 34 | inputPath := "commonNamesGood.pem" 35 | expected := lint.Pass 36 | out := test.TestLint("n_subject_common_name_included", inputPath) 37 | if out.Status != expected { 38 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /v3/lints/cabf_br/lint_subject_country_not_iso_test.go: -------------------------------------------------------------------------------- 1 | package cabf_br 2 | 3 | /* 4 | * ZLint Copyright 2024 Regents of the University of Michigan 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); you may not 7 | * use this file except in compliance with the License. You may obtain a copy 8 | * of the License at http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 13 | * implied. See the License for the specific language governing 14 | * permissions and limitations under the License. 15 | */ 16 | 17 | import ( 18 | "testing" 19 | 20 | "github.com/zmap/zlint/v3/lint" 21 | "github.com/zmap/zlint/v3/test" 22 | ) 23 | 24 | func TestCountryNotIso(t *testing.T) { 25 | inputPath := "subjectInvalidCountry.pem" 26 | expected := lint.Error 27 | out := test.TestLint("e_subject_country_not_iso", inputPath) 28 | if out.Status != expected { 29 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 30 | } 31 | } 32 | 33 | func TestCountryIsIso(t *testing.T) { 34 | inputPath := "subjectValidCountry.pem" 35 | expected := lint.Pass 36 | out := test.TestLint("e_subject_country_not_iso", inputPath) 37 | if out.Status != expected { 38 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /v3/lints/cabf_cs_br/lint_cs_crl_distribution_points_test.go: -------------------------------------------------------------------------------- 1 | package cabf_cs_br 2 | 3 | import ( 4 | "testing" 5 | 6 | "github.com/zmap/zlint/v3/lint" 7 | "github.com/zmap/zlint/v3/test" 8 | ) 9 | 10 | func TestCsCrlDistributionPoints(t *testing.T) { 11 | testCases := []struct { 12 | Name string 13 | InputFilename string 14 | ExpectedResult lint.LintStatus 15 | }{ 16 | { 17 | Name: "pass - code signing certificate with CRLDistributionPoints", 18 | InputFilename: "code_signing/validCodeSigningCertificate.pem", 19 | ExpectedResult: lint.Pass, 20 | }, 21 | { 22 | Name: "fail - code signing certificate without CRLDistributionPoints", 23 | InputFilename: "code_signing/noCrldpIncluded.pem", 24 | ExpectedResult: lint.Error, 25 | }, 26 | { 27 | Name: "fail - code signing certificate with CRLDistributionPoints without http", 28 | InputFilename: "code_signing/crlDpNoHttp.pem", 29 | ExpectedResult: lint.Error, 30 | }, 31 | } 32 | for _, tc := range testCases { 33 | t.Run(tc.Name, func(t *testing.T) { 34 | result := test.TestLint("e_cs_crl_distribution_points", tc.InputFilename) 35 | if result.Status != tc.ExpectedResult { 36 | t.Errorf("expected result %v was %v - details: %v", tc.ExpectedResult, result.Status, result.Details) 37 | } 38 | }) 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /v3/lints/cabf_cs_br/lint_cs_eku_required_test.go: -------------------------------------------------------------------------------- 1 | package cabf_cs_br 2 | 3 | import ( 4 | "testing" 5 | 6 | "github.com/zmap/zlint/v3/lint" 7 | "github.com/zmap/zlint/v3/test" 8 | ) 9 | 10 | func TestCsEKUCheck(t *testing.T) { 11 | testCases := []struct { 12 | Name string 13 | InputFilename string 14 | ExpectedResult lint.LintStatus 15 | }{ 16 | { 17 | Name: "pass - valid code signing certificate with required EKU", 18 | InputFilename: "code_signing/validCodeSigningCertificate.pem", 19 | ExpectedResult: lint.Pass, 20 | }, 21 | { 22 | Name: "fail - code signing certificate without required EKU", 23 | InputFilename: "code_signing/noRequiredCodeSigningEKU.pem", 24 | ExpectedResult: lint.Error, 25 | }, 26 | { 27 | Name: "fail - code signing certificate with prohibited EKU", 28 | InputFilename: "code_signing/containsProhibitedEKU.pem", 29 | ExpectedResult: lint.Error, 30 | }, 31 | } 32 | for _, tc := range testCases { 33 | t.Run(tc.Name, func(t *testing.T) { 34 | result := test.TestLint("e_cs_eku_required", tc.InputFilename) 35 | if result.Status != tc.ExpectedResult { 36 | t.Errorf("expected result %v was %v - details: %v", tc.ExpectedResult, result.Status, result.Details) 37 | } 38 | }) 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /v3/lints/cabf_cs_br/lint_cs_rsa_key_size_test.go: -------------------------------------------------------------------------------- 1 | package cabf_cs_br 2 | 3 | import ( 4 | "testing" 5 | 6 | "github.com/zmap/zlint/v3/lint" 7 | "github.com/zmap/zlint/v3/test" 8 | ) 9 | 10 | func TestCsRsaKeySize(t *testing.T) { 11 | testCases := []struct { 12 | Name string 13 | InputFilename string 14 | ExpectedResult lint.LintStatus 15 | }{ 16 | { 17 | Name: "pass - code signing certificate with RSA key size >= 3072", 18 | InputFilename: "code_signing/validCodeSigningCertificate.pem", 19 | ExpectedResult: lint.Pass, 20 | }, 21 | { 22 | Name: "fail - code signing certificate a 2048 RSA key size", 23 | InputFilename: "code_signing/lessThan3072RSAKeySize.pem", 24 | ExpectedResult: lint.Error, 25 | }, 26 | { 27 | Name: "NA - code signing certificate with an ECDSA key", 28 | InputFilename: "code_signing/codeSigningWithECDSAKey.pem", 29 | ExpectedResult: lint.NA, 30 | }, 31 | } 32 | for _, tc := range testCases { 33 | t.Run(tc.Name, func(t *testing.T) { 34 | result := test.TestLint("e_cs_rsa_key_size", tc.InputFilename) 35 | if result.Status != tc.ExpectedResult { 36 | t.Errorf("expected result %v was %v - details: %v", tc.ExpectedResult, result.Status, result.Details) 37 | } 38 | }) 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /v3/lints/cabf_ev/lint_cabf_org_identifier_psd_vat_has_state_test.go: -------------------------------------------------------------------------------- 1 | /* 2 | * ZLint Copyright 2024 Regents of the University of Michigan 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); you may not 5 | * use this file except in compliance with the License. You may obtain a copy 6 | * of the License at http://www.apache.org/licenses/LICENSE-2.0 7 | * 8 | * Unless required by applicable law or agreed to in writing, software 9 | * distributed under the License is distributed on an "AS IS" BASIS, 10 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 11 | * implied. See the License for the specific language governing 12 | * permissions and limitations under the License. 13 | */ 14 | 15 | package cabf_ev 16 | 17 | import ( 18 | "testing" 19 | 20 | "github.com/zmap/zlint/v3/lint" 21 | "github.com/zmap/zlint/v3/test" 22 | ) 23 | 24 | func TestCabfOrgIdentifierPsdVatHasState(t *testing.T) { 25 | inputPath := "cabfOrgIdentifierPSDState.pem" 26 | expected := lint.Error 27 | out := test.TestLint("e_cabf_org_identifier_psd_vat_has_state", inputPath) 28 | if out.Status != expected { 29 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 30 | } 31 | } 32 | -------------------------------------------------------------------------------- /v3/lints/cabf_ev/lint_ev_business_category_missing_test.go: -------------------------------------------------------------------------------- 1 | package cabf_ev 2 | 3 | /* 4 | * ZLint Copyright 2024 Regents of the University of Michigan 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); you may not 7 | * use this file except in compliance with the License. You may obtain a copy 8 | * of the License at http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 13 | * implied. See the License for the specific language governing 14 | * permissions and limitations under the License. 15 | */ 16 | 17 | import ( 18 | "testing" 19 | 20 | "github.com/zmap/zlint/v3/lint" 21 | "github.com/zmap/zlint/v3/test" 22 | ) 23 | 24 | func TestEvNoBiz(t *testing.T) { 25 | inputPath := "evAllGood.pem" 26 | expected := lint.Error 27 | out := test.TestLint("e_ev_business_category_missing", inputPath) 28 | if out.Status != expected { 29 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 30 | } 31 | } 32 | -------------------------------------------------------------------------------- /v3/lints/cabf_ev/lint_ev_country_name_missing_test.go: -------------------------------------------------------------------------------- 1 | package cabf_ev 2 | 3 | /* 4 | * ZLint Copyright 2024 Regents of the University of Michigan 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); you may not 7 | * use this file except in compliance with the License. You may obtain a copy 8 | * of the License at http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 13 | * implied. See the License for the specific language governing 14 | * permissions and limitations under the License. 15 | */ 16 | 17 | import ( 18 | "testing" 19 | 20 | "github.com/zmap/zlint/v3/lint" 21 | "github.com/zmap/zlint/v3/test" 22 | ) 23 | 24 | func TestEvHasCountry(t *testing.T) { 25 | inputPath := "evAllGood.pem" 26 | expected := lint.Pass 27 | out := test.TestLint("e_ev_country_name_missing", inputPath) 28 | if out.Status != expected { 29 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 30 | } 31 | } 32 | 33 | func TestEvNoCountry(t *testing.T) { 34 | inputPath := "evNoCountry.pem" 35 | expected := lint.Error 36 | out := test.TestLint("e_ev_country_name_missing", inputPath) 37 | if out.Status != expected { 38 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /v3/lints/cabf_ev/lint_ev_not_wildcard_test.go: -------------------------------------------------------------------------------- 1 | /* 2 | * ZLint Copyright 2024 Regents of the University of Michigan 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); you may not 5 | * use this file except in compliance with the License. You may obtain a copy 6 | * of the License at http://www.apache.org/licenses/LICENSE-2.0 7 | * 8 | * Unless required by applicable law or agreed to in writing, software 9 | * distributed under the License is distributed on an "AS IS" BASIS, 10 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 11 | * implied. See the License for the specific language governing 12 | * permissions and limitations under the License. 13 | */ 14 | 15 | package cabf_ev 16 | 17 | import ( 18 | "testing" 19 | 20 | "github.com/zmap/zlint/v3/lint" 21 | "github.com/zmap/zlint/v3/test" 22 | ) 23 | 24 | func TestSmoke(t *testing.T) { 25 | var tests = map[string]lint.LintStatus{ 26 | "evWildcard.pem": lint.Error, 27 | "evSubscriberNotWildCard.pem": lint.Pass, 28 | "evSubscriberWildcardOnion.pem": lint.Pass, 29 | } 30 | for file, want := range tests { 31 | f := file 32 | w := want 33 | t.Run(f, func(t *testing.T) { 34 | t.Parallel() 35 | got := test.TestLint("e_ev_not_wildcard", f).Status 36 | if got != w { 37 | t.Errorf("want %s, got %s", w, got) 38 | } 39 | }) 40 | } 41 | } 42 | -------------------------------------------------------------------------------- /v3/lints/cabf_ev/lint_ev_organization_name_missing_test.go: -------------------------------------------------------------------------------- 1 | package cabf_ev 2 | 3 | /* 4 | * ZLint Copyright 2024 Regents of the University of Michigan 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); you may not 7 | * use this file except in compliance with the License. You may obtain a copy 8 | * of the License at http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 13 | * implied. See the License for the specific language governing 14 | * permissions and limitations under the License. 15 | */ 16 | 17 | import ( 18 | "testing" 19 | 20 | "github.com/zmap/zlint/v3/lint" 21 | "github.com/zmap/zlint/v3/test" 22 | ) 23 | 24 | func TestEvHasOrg(t *testing.T) { 25 | inputPath := "evAllGood.pem" 26 | expected := lint.Pass 27 | out := test.TestLint("e_ev_organization_name_missing", inputPath) 28 | if out.Status != expected { 29 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 30 | } 31 | } 32 | 33 | func TestEvNoOrg(t *testing.T) { 34 | inputPath := "evNoOrg.pem" 35 | expected := lint.Error 36 | out := test.TestLint("e_ev_organization_name_missing", inputPath) 37 | if out.Status != expected { 38 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /v3/lints/cabf_ev/lint_ev_serial_number_missing_test.go: -------------------------------------------------------------------------------- 1 | package cabf_ev 2 | 3 | /* 4 | * ZLint Copyright 2024 Regents of the University of Michigan 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); you may not 7 | * use this file except in compliance with the License. You may obtain a copy 8 | * of the License at http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 13 | * implied. See the License for the specific language governing 14 | * permissions and limitations under the License. 15 | */ 16 | 17 | import ( 18 | "testing" 19 | 20 | "github.com/zmap/zlint/v3/lint" 21 | "github.com/zmap/zlint/v3/test" 22 | ) 23 | 24 | func TestEvHasSN(t *testing.T) { 25 | inputPath := "evAllGood.pem" 26 | expected := lint.Pass 27 | out := test.TestLint("e_ev_serial_number_missing", inputPath) 28 | if out.Status != expected { 29 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 30 | } 31 | } 32 | 33 | func TestEvNoSN(t *testing.T) { 34 | inputPath := "evNoSN.pem" 35 | expected := lint.Error 36 | out := test.TestLint("e_ev_serial_number_missing", inputPath) 37 | if out.Status != expected { 38 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /v3/lints/cabf_ev/lint_onion_subject_validity_time_too_large_test.go: -------------------------------------------------------------------------------- 1 | package cabf_ev 2 | 3 | import ( 4 | "testing" 5 | 6 | "github.com/zmap/zlint/v3/lint" 7 | "github.com/zmap/zlint/v3/test" 8 | ) 9 | 10 | func TestTorValidityTooLarge(t *testing.T) { 11 | testCases := []struct { 12 | Name string 13 | InputFilename string 14 | ExpectedResult lint.LintStatus 15 | }{ 16 | { 17 | Name: "Onion subject, long expiry before util.OnionOnlyEVDate", 18 | InputFilename: "onionSANLongExpiryPreBallot.pem", 19 | ExpectedResult: lint.NE, 20 | }, 21 | { 22 | Name: "Onion subject, long expiry, after util.OnionOnlyEVDate", 23 | InputFilename: "onionSANLongExpiry.pem", 24 | ExpectedResult: lint.Error, 25 | }, 26 | { 27 | Name: "Onion subject, valid expiry", 28 | InputFilename: "onionSANGoodExpiry.pem", 29 | ExpectedResult: lint.Pass, 30 | }, 31 | } 32 | 33 | for _, tc := range testCases { 34 | t.Run(tc.Name, func(t *testing.T) { 35 | result := test.TestLint("e_onion_subject_validity_time_too_large", tc.InputFilename) 36 | if result.Status != tc.ExpectedResult { 37 | t.Errorf("expected result %v was %v", tc.ExpectedResult, result.Status) 38 | } 39 | }) 40 | } 41 | 42 | } 43 | -------------------------------------------------------------------------------- /v3/lints/cabf_smime_br/lint_authority_key_identifier_test.go: -------------------------------------------------------------------------------- 1 | package cabf_smime_br 2 | 3 | import ( 4 | "testing" 5 | 6 | "github.com/zmap/zlint/v3/lint" 7 | "github.com/zmap/zlint/v3/test" 8 | ) 9 | 10 | func TestAuthorityKeyInfoCorrect(t *testing.T) { 11 | testCases := []struct { 12 | Name string 13 | InputFilename string 14 | ExpectedResult lint.LintStatus 15 | }{ 16 | { 17 | Name: "pass - cert has keyIdentifier", 18 | InputFilename: "smime/authority_key_identifier_valid.pem", 19 | ExpectedResult: lint.Pass, 20 | }, 21 | { 22 | Name: "Error - cert has serial and DirName", 23 | InputFilename: "smime/authority_key_identifier_invalid.pem", 24 | ExpectedResult: lint.Error, 25 | }} 26 | for _, tc := range testCases { 27 | t.Run(tc.Name, func(t *testing.T) { 28 | result := test.TestLint("e_authority_key_identifier_correct", tc.InputFilename) 29 | if result.Status != tc.ExpectedResult { 30 | t.Errorf("expected result %v was %v - details: %v", tc.ExpectedResult, result.Status, result.Details) 31 | } 32 | }) 33 | } 34 | } 35 | -------------------------------------------------------------------------------- /v3/lints/cabf_smime_br/lint_key_usage_criticality_test.go: -------------------------------------------------------------------------------- 1 | package cabf_smime_br 2 | 3 | import ( 4 | "testing" 5 | 6 | "github.com/zmap/zlint/v3/lint" 7 | "github.com/zmap/zlint/v3/test" 8 | ) 9 | 10 | func TestKeyUsageCriticality(t *testing.T) { 11 | testCases := []struct { 12 | Name string 13 | InputFilename string 14 | ExpectedResult lint.LintStatus 15 | }{ 16 | { 17 | Name: "pass - cert with critical KU extension", 18 | InputFilename: "smime/rsa_strict_digital_signature_ku.pem", 19 | ExpectedResult: lint.Pass, 20 | }, 21 | { 22 | Name: "NA - non-SMIME BR cert", 23 | InputFilename: "smime/domainValidatedWithEmailCommonName.pem", 24 | ExpectedResult: lint.NA, 25 | }, 26 | { 27 | Name: "NE - certificate with KU extension dated before 2020-09-01", 28 | InputFilename: "smime/rsa_strict_valid_ku_august_2023.pem", 29 | ExpectedResult: lint.NE, 30 | }, 31 | { 32 | Name: "Warn - certificate with non-critical KU extension", 33 | InputFilename: "smime/with_non_critical_ku_extension.pem", 34 | ExpectedResult: lint.Warn, 35 | }, 36 | } 37 | for _, tc := range testCases { 38 | t.Run(tc.Name, func(t *testing.T) { 39 | result := test.TestLint("w_key_usage_criticality", tc.InputFilename) 40 | if result.Status != tc.ExpectedResult { 41 | t.Errorf("expected result %v was %v - details: %v", tc.ExpectedResult, result.Status, result.Details) 42 | } 43 | }) 44 | } 45 | } 46 | -------------------------------------------------------------------------------- /v3/lints/cabf_smime_br/lint_key_usage_presence_test.go: -------------------------------------------------------------------------------- 1 | package cabf_smime_br 2 | 3 | import ( 4 | "testing" 5 | 6 | "github.com/zmap/zlint/v3/lint" 7 | "github.com/zmap/zlint/v3/test" 8 | ) 9 | 10 | func TestKeyUsagePresence(t *testing.T) { 11 | testCases := []struct { 12 | Name string 13 | InputFilename string 14 | ExpectedResult lint.LintStatus 15 | }{ 16 | { 17 | Name: "pass - cert with KU extension", 18 | InputFilename: "smime/rsa_strict_digital_signature_ku.pem", 19 | ExpectedResult: lint.Pass, 20 | }, 21 | { 22 | Name: "NA - non-SMIME BR cert", 23 | InputFilename: "smime/domainValidatedWithEmailCommonName.pem", 24 | ExpectedResult: lint.NA, 25 | }, 26 | { 27 | Name: "NE - certificate with KU extension dated before 2020-09-01", 28 | InputFilename: "smime/rsa_strict_valid_ku_august_2023.pem", 29 | ExpectedResult: lint.NE, 30 | }, 31 | { 32 | Name: "Error - certificate without KU extension", 33 | InputFilename: "smime/mailboxValidatedLegacyWithCommonName.pem", 34 | ExpectedResult: lint.Error, 35 | }, 36 | } 37 | for _, tc := range testCases { 38 | t.Run(tc.Name, func(t *testing.T) { 39 | result := test.TestLint("e_key_usage_presence", tc.InputFilename) 40 | if result.Status != tc.ExpectedResult { 41 | t.Errorf("expected result %v was %v - details: %v", tc.ExpectedResult, result.Status, result.Details) 42 | } 43 | }) 44 | } 45 | } 46 | -------------------------------------------------------------------------------- /v3/lints/cabf_smime_br/lint_legacy_aia_has_one_http_test.go: -------------------------------------------------------------------------------- 1 | package cabf_smime_br 2 | 3 | import ( 4 | "testing" 5 | 6 | "github.com/zmap/zlint/v3/lint" 7 | "github.com/zmap/zlint/v3/test" 8 | ) 9 | 10 | func TestSMIMELegacyAIAHasOneHTTP(t *testing.T) { 11 | testCases := []struct { 12 | Name string 13 | InputFilename string 14 | ExpectedResult lint.LintStatus 15 | }{ 16 | { 17 | Name: "pass - aia with one ldap URI and one HTTP in each method", 18 | InputFilename: "smime/legacyAiaOneHTTPOneLdap.pem", 19 | ExpectedResult: lint.Pass, 20 | }, 21 | { 22 | Name: "error - aia with only ldap URIs HTTP in each method", 23 | InputFilename: "smime/legacyAiaLdapOnly.pem", 24 | ExpectedResult: lint.Error, 25 | }, 26 | } 27 | for _, tc := range testCases { 28 | t.Run(tc.Name, func(t *testing.T) { 29 | result := test.TestLint("e_smime_legacy_aia_shall_have_one_http", tc.InputFilename) 30 | if result.Status != tc.ExpectedResult { 31 | t.Errorf("expected result %v was %v - details: %v", tc.ExpectedResult, result.Status, result.Details) 32 | } 33 | }) 34 | } 35 | } 36 | -------------------------------------------------------------------------------- /v3/lints/cabf_smime_br/lint_qc_statements_not_critical_test.go: -------------------------------------------------------------------------------- 1 | package cabf_smime_br 2 | 3 | import ( 4 | "testing" 5 | 6 | "github.com/zmap/zlint/v3/lint" 7 | "github.com/zmap/zlint/v3/test" 8 | ) 9 | 10 | func TestSMIMEQCStatementsNotCritical(t *testing.T) { 11 | testCases := []struct { 12 | Name string 13 | InputFilename string 14 | ExpectedResult lint.LintStatus 15 | }{ 16 | { 17 | Name: "N/A - no qcStatements extension", 18 | InputFilename: "smime/legacyAiaOneHTTPOneLdap.pem", 19 | ExpectedResult: lint.NA, 20 | }, 21 | { 22 | Name: "Pass - qcStatements not critical", 23 | InputFilename: "smime/e_smime_qc_statements_must_not_be_critical_pass.pem", 24 | ExpectedResult: lint.Pass, 25 | }, 26 | { 27 | Name: "Fail - qcStatements critical", 28 | InputFilename: "smime/e_smime_qc_statements_must_not_be_critical_fail.pem", 29 | ExpectedResult: lint.Error, 30 | }, 31 | } 32 | for _, tc := range testCases { 33 | t.Run(tc.Name, func(t *testing.T) { 34 | result := test.TestLint("e_smime_qc_statements_must_not_be_critical", tc.InputFilename) 35 | if result.Status != tc.ExpectedResult { 36 | t.Errorf("expected result %v was %v - details: %v", tc.ExpectedResult, result.Status, result.Details) 37 | } 38 | }) 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /v3/lints/cabf_smime_br/lint_san_shall_be_present_test.go: -------------------------------------------------------------------------------- 1 | package cabf_smime_br 2 | 3 | import ( 4 | "testing" 5 | 6 | "github.com/zmap/zlint/v3/lint" 7 | "github.com/zmap/zlint/v3/test" 8 | ) 9 | 10 | func TestSubscriberSubjectAlternativeNameShallBePresent(t *testing.T) { 11 | testCases := []struct { 12 | Name string 13 | InputFilename string 14 | ExpectedResult lint.LintStatus 15 | }{ 16 | { 17 | Name: "pass - cert with SAN", 18 | InputFilename: "smime/with_subject_alternative_name.pem", 19 | ExpectedResult: lint.Pass, 20 | }, 21 | { 22 | Name: "error - cert without SAN", 23 | InputFilename: "smime/without_subject_alternative_name.pem", 24 | ExpectedResult: lint.Error, 25 | }, 26 | { 27 | Name: "na - certificate has no SMIME BR policy", 28 | InputFilename: "smime/with_subject_alternative_name_no_br.pem", 29 | ExpectedResult: lint.NA, 30 | }, 31 | } 32 | for _, tc := range testCases { 33 | t.Run(tc.Name, func(t *testing.T) { 34 | result := test.TestLint("e_san_shall_be_present", tc.InputFilename) 35 | if result.Status != tc.ExpectedResult { 36 | t.Errorf("expected result %v was %v - details: %v", tc.ExpectedResult, result.Status, result.Details) 37 | } 38 | }) 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /v3/lints/cabf_smime_br/lint_san_should_not_be_critical_test.go: -------------------------------------------------------------------------------- 1 | package cabf_smime_br 2 | 3 | import ( 4 | "testing" 5 | 6 | "github.com/zmap/zlint/v3/lint" 7 | "github.com/zmap/zlint/v3/test" 8 | ) 9 | 10 | func TestSubjectAlternativeNameNotCritical(t *testing.T) { 11 | testCases := []struct { 12 | Name string 13 | InputFilename string 14 | ExpectedResult lint.LintStatus 15 | }{ 16 | { 17 | Name: "pass - certificate with non-critical SAN and non-empty subject", 18 | InputFilename: "smime/san_non_critical_non_empty_subject.pem", 19 | ExpectedResult: lint.Pass, 20 | }, 21 | { 22 | Name: "warn - certificate with critical SAN and non-empty subject", 23 | InputFilename: "smime/san_critical_non_empty_subject.pem", 24 | ExpectedResult: lint.Warn, 25 | }, 26 | { 27 | Name: "na - certificate has no SMIME BR policy", 28 | InputFilename: "ecdsaP224.pem", 29 | ExpectedResult: lint.NA, 30 | }, 31 | } 32 | for _, tc := range testCases { 33 | t.Run(tc.Name, func(t *testing.T) { 34 | result := test.TestLint("w_san_should_not_be_critical", tc.InputFilename) 35 | if result.Status != tc.ExpectedResult { 36 | t.Errorf("expected result %v was %v - details: %v", tc.ExpectedResult, result.Status, result.Details) 37 | } 38 | }) 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /v3/lints/cabf_smime_br/lint_single_email_if_present_test.go: -------------------------------------------------------------------------------- 1 | package cabf_smime_br 2 | 3 | import ( 4 | "testing" 5 | 6 | "github.com/zmap/zlint/v3/lint" 7 | "github.com/zmap/zlint/v3/test" 8 | ) 9 | 10 | func TestSingleEmailIfPresent(t *testing.T) { 11 | testCases := []struct { 12 | Name string 13 | InputFilename string 14 | ExpectedResult lint.LintStatus 15 | }{ 16 | { 17 | Name: "pass - cert with one email address", 18 | InputFilename: "smime/single_email_present.pem", 19 | ExpectedResult: lint.Pass, 20 | }, 21 | { 22 | Name: "NA - cert with no email addresses", 23 | InputFilename: "smime/no_email_present.pem", 24 | ExpectedResult: lint.NA, 25 | }, 26 | { 27 | Name: "Pass - cert with multiple email addresses", 28 | InputFilename: "smime/multiple_email_present.pem", 29 | ExpectedResult: lint.Pass, 30 | }, 31 | { 32 | Name: "Error - email address present with multiple values", 33 | InputFilename: "smime/email_with_multiple_values.pem", 34 | ExpectedResult: lint.Error, 35 | }, 36 | } 37 | for _, tc := range testCases { 38 | t.Run(tc.Name, func(t *testing.T) { 39 | result := test.TestLint("e_single_email_if_present", tc.InputFilename) 40 | if result.Status != tc.ExpectedResult { 41 | t.Errorf("expected result %v was %v - details: %v", tc.ExpectedResult, result.Status, result.Details) 42 | } 43 | }) 44 | } 45 | } 46 | -------------------------------------------------------------------------------- /v3/lints/cabf_smime_br/lint_single_email_subject_if_present_test.go: -------------------------------------------------------------------------------- 1 | package cabf_smime_br 2 | 3 | import ( 4 | "testing" 5 | 6 | "github.com/zmap/zlint/v3/lint" 7 | "github.com/zmap/zlint/v3/test" 8 | ) 9 | 10 | func TestSingleEmailSubjectIfPresent(t *testing.T) { 11 | testCases := []struct { 12 | Name string 13 | InputFilename string 14 | ExpectedResult lint.LintStatus 15 | }{ 16 | { 17 | Name: "error - email address present in subjectDN with multiple values", 18 | InputFilename: "smime/twoEmailAddressesInSubjectDN.pem", 19 | ExpectedResult: lint.Error, 20 | }, 21 | { 22 | Name: "pass - email address present in subjectDN with one value", 23 | InputFilename: "smime/oneEmailAddressInSubjectDN.pem", 24 | ExpectedResult: lint.Pass, 25 | }, 26 | { 27 | Name: "na - no email address present in subjectDN", 28 | InputFilename: "smime/noEmailAddressInSubjectDN.pem", 29 | ExpectedResult: lint.NA, 30 | }, 31 | } 32 | for _, tc := range testCases { 33 | t.Run(tc.Name, func(t *testing.T) { 34 | result := test.TestLint("e_single_email_subject_if_present", tc.InputFilename) 35 | if result.Status != tc.ExpectedResult { 36 | t.Errorf("expected result %v was %v - details: %v", tc.ExpectedResult, result.Status, result.Details) 37 | } 38 | }) 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /v3/lints/cabf_smime_br/lint_strict_aia_has_http_only_test.go: -------------------------------------------------------------------------------- 1 | package cabf_smime_br 2 | 3 | import ( 4 | "testing" 5 | 6 | "github.com/zmap/zlint/v3/lint" 7 | "github.com/zmap/zlint/v3/test" 8 | ) 9 | 10 | func TestSMIMEStrictAIAHasHTTPOnly(t *testing.T) { 11 | testCases := []struct { 12 | Name string 13 | InputFilename string 14 | ExpectedResult lint.LintStatus 15 | }{ 16 | { 17 | Name: "pass - aia with valid names", 18 | InputFilename: "smime/aiaWithValidNamesStrict.pem", 19 | ExpectedResult: lint.Pass, 20 | }, 21 | { 22 | Name: "warn - aia with internal names", 23 | InputFilename: "smime/aiaWithInternalNamesStrict.pem", 24 | ExpectedResult: lint.Pass, 25 | }, 26 | { 27 | Name: "warn - aia with internal names", 28 | InputFilename: "smime/aiaWithLDAPOCSPStrict.pem", 29 | ExpectedResult: lint.Error, 30 | }, 31 | } 32 | for _, tc := range testCases { 33 | t.Run(tc.Name, func(t *testing.T) { 34 | result := test.TestLint("e_smime_strict_aia_shall_have_http_only", tc.InputFilename) 35 | if result.Status != tc.ExpectedResult { 36 | t.Errorf("expected result %v was %v - details: %v", tc.ExpectedResult, result.Status, result.Details) 37 | } 38 | }) 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /v3/lints/cabf_smime_br/lint_subject_dir_attr_test.go: -------------------------------------------------------------------------------- 1 | package cabf_smime_br 2 | 3 | import ( 4 | "testing" 5 | 6 | "github.com/zmap/zlint/v3/lint" 7 | "github.com/zmap/zlint/v3/test" 8 | ) 9 | 10 | func TestSMIMESubjectDirAttributes(t *testing.T) { 11 | testCases := []struct { 12 | Name string 13 | InputFilename string 14 | ExpectedResult lint.LintStatus 15 | }{ 16 | { 17 | Name: "pass - no subject dir attributes extension", 18 | InputFilename: "smime/mailboxValidatedStrictWithCommonName.pem", 19 | ExpectedResult: lint.Pass, 20 | }, 21 | { 22 | Name: "error - multipurpose with subject dir attributes extension", 23 | InputFilename: "smime/multipurposeWithSubjectDirectoryAttributes.pem", 24 | ExpectedResult: lint.Error, 25 | }, 26 | { 27 | Name: "NA - legacy no subject dir attributes extension", 28 | InputFilename: "smime/ec_legacy_digital_signature_ku.pem", 29 | ExpectedResult: lint.NA, 30 | }, 31 | } 32 | for _, tc := range testCases { 33 | t.Run(tc.Name, func(t *testing.T) { 34 | result := test.TestLint("e_strict_multipurpose_smime_ext_subject_directory_attr", tc.InputFilename) 35 | if result.Status != tc.ExpectedResult { 36 | t.Errorf("expected result %v was %v - details: %v", tc.ExpectedResult, result.Status, result.Details) 37 | } 38 | }) 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /v3/lints/cabf_smime_br/lint_subscribers_shall_have_crl_distribution_points_test.go: -------------------------------------------------------------------------------- 1 | package cabf_smime_br 2 | 3 | import ( 4 | "testing" 5 | 6 | "github.com/zmap/zlint/v3/lint" 7 | "github.com/zmap/zlint/v3/test" 8 | ) 9 | 10 | func TestSubscriberCrlDistributionPoints(t *testing.T) { 11 | testCases := []struct { 12 | Name string 13 | InputFilename string 14 | ExpectedResult lint.LintStatus 15 | }{ 16 | { 17 | Name: "pass - cert with a CRL distribution point", 18 | InputFilename: "smime/subscriber_with_crl_distribution_points.pem", 19 | ExpectedResult: lint.Pass, 20 | }, 21 | { 22 | Name: "error - cert without a CRL distribution point", 23 | InputFilename: "smime/subscriber_no_crl_distribution_points.pem", 24 | ExpectedResult: lint.Error, 25 | }, 26 | { 27 | Name: "na - certificate has no SMIME BR policy", 28 | InputFilename: "smime/with_subject_alternative_name_no_br.pem", 29 | ExpectedResult: lint.NA, 30 | }, 31 | } 32 | for _, tc := range testCases { 33 | t.Run(tc.Name, func(t *testing.T) { 34 | result := test.TestLint("e_subscribers_shall_have_crl_distribution_points", tc.InputFilename) 35 | if result.Status != tc.ExpectedResult { 36 | t.Errorf("expected result %v was %v - details: %v", tc.ExpectedResult, result.Status, result.Details) 37 | } 38 | }) 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /v3/lints/community/lint_ian_bare_wildcard_test.go: -------------------------------------------------------------------------------- 1 | package community 2 | 3 | /* 4 | * ZLint Copyright 2024 Regents of the University of Michigan 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); you may not 7 | * use this file except in compliance with the License. You may obtain a copy 8 | * of the License at http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 13 | * implied. See the License for the specific language governing 14 | * permissions and limitations under the License. 15 | */ 16 | 17 | import ( 18 | "testing" 19 | 20 | "github.com/zmap/zlint/v3/lint" 21 | "github.com/zmap/zlint/v3/test" 22 | ) 23 | 24 | func TestBrIANBareWildcard(t *testing.T) { 25 | inputPath := "IANBareWildcard.pem" 26 | expected := lint.Error 27 | out := test.TestLint("e_ian_bare_wildcard", inputPath) 28 | if out.Status != expected { 29 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 30 | } 31 | } 32 | 33 | func TestBrIANNotBareWildcard(t *testing.T) { 34 | inputPath := "IANURIValid.pem" 35 | expected := lint.Pass 36 | out := test.TestLint("e_ian_bare_wildcard", inputPath) 37 | if out.Status != expected { 38 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /v3/lints/community/lint_ian_dns_name_includes_null_char_test.go: -------------------------------------------------------------------------------- 1 | package community 2 | 3 | /* 4 | * ZLint Copyright 2024 Regents of the University of Michigan 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); you may not 7 | * use this file except in compliance with the License. You may obtain a copy 8 | * of the License at http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 13 | * implied. See the License for the specific language governing 14 | * permissions and limitations under the License. 15 | */ 16 | 17 | import ( 18 | "testing" 19 | 20 | "github.com/zmap/zlint/v3/lint" 21 | "github.com/zmap/zlint/v3/test" 22 | ) 23 | 24 | func TestBrIANDNSNull(t *testing.T) { 25 | inputPath := "IANDNSNull.pem" 26 | expected := lint.Error 27 | out := test.TestLint("e_ian_dns_name_includes_null_char", inputPath) 28 | if out.Status != expected { 29 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 30 | } 31 | } 32 | 33 | func TestBrIANDNSNotNull(t *testing.T) { 34 | inputPath := "IANURIValid.pem" 35 | expected := lint.Pass 36 | out := test.TestLint("e_ian_dns_name_includes_null_char", inputPath) 37 | if out.Status != expected { 38 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /v3/lints/community/lint_ian_iana_pub_suffix_empty_test.go: -------------------------------------------------------------------------------- 1 | package community 2 | 3 | /* 4 | * ZLint Copyright 2024 Regents of the University of Michigan 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); you may not 7 | * use this file except in compliance with the License. You may obtain a copy 8 | * of the License at http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 13 | * implied. See the License for the specific language governing 14 | * permissions and limitations under the License. 15 | */ 16 | 17 | import ( 18 | "testing" 19 | 20 | "github.com/zmap/zlint/v3/lint" 21 | "github.com/zmap/zlint/v3/test" 22 | ) 23 | 24 | func TestIANBarePubSuffix(t *testing.T) { 25 | inputPath := "IANBareSuffix.pem" 26 | expected := lint.Warn 27 | out := test.TestLint("w_ian_iana_pub_suffix_empty", inputPath) 28 | if out.Status != expected { 29 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 30 | } 31 | } 32 | 33 | func TestIANGoodPubSuffix(t *testing.T) { 34 | inputPath := "IANGoodSuffix.pem" 35 | expected := lint.Pass 36 | out := test.TestLint("w_ian_iana_pub_suffix_empty", inputPath) 37 | if out.Status != expected { 38 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /v3/lints/community/lint_ian_wildcard_not_first_test.go: -------------------------------------------------------------------------------- 1 | package community 2 | 3 | /* 4 | * ZLint Copyright 2024 Regents of the University of Michigan 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); you may not 7 | * use this file except in compliance with the License. You may obtain a copy 8 | * of the License at http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 13 | * implied. See the License for the specific language governing 14 | * permissions and limitations under the License. 15 | */ 16 | 17 | import ( 18 | "testing" 19 | 20 | "github.com/zmap/zlint/v3/lint" 21 | "github.com/zmap/zlint/v3/test" 22 | ) 23 | 24 | func TestBrIANWildcardFirst(t *testing.T) { 25 | inputPath := "IANWildcardFirst.pem" 26 | expected := lint.Error 27 | out := test.TestLint("e_ian_wildcard_not_first", inputPath) 28 | if out.Status != expected { 29 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 30 | } 31 | } 32 | 33 | func TestBrIANWildcardNotFirst(t *testing.T) { 34 | inputPath := "IANURIValid.pem" 35 | expected := lint.Pass 36 | out := test.TestLint("e_ian_wildcard_not_first", inputPath) 37 | if out.Status != expected { 38 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /v3/lints/community/lint_is_redacted_cert_test.go: -------------------------------------------------------------------------------- 1 | package community 2 | 3 | /* 4 | * ZLint Copyright 2024 Regents of the University of Michigan 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); you may not 7 | * use this file except in compliance with the License. You may obtain a copy 8 | * of the License at http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 13 | * implied. See the License for the specific language governing 14 | * permissions and limitations under the License. 15 | */ 16 | 17 | import ( 18 | "testing" 19 | 20 | "github.com/zmap/zlint/v3/lint" 21 | "github.com/zmap/zlint/v3/test" 22 | ) 23 | 24 | func TestDNSNameContainsQuestionMark(t *testing.T) { 25 | inputPath := "dnsNameContainsQuestionMark.pem" 26 | expected := lint.Notice 27 | out := test.TestLint("n_contains_redacted_dnsname", inputPath) 28 | if out.Status != expected { 29 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 30 | } 31 | } 32 | -------------------------------------------------------------------------------- /v3/lints/community/lint_issuer_multiple_rdn_test.go: -------------------------------------------------------------------------------- 1 | package community 2 | 3 | /* 4 | * ZLint Copyright 2024 Regents of the University of Michigan 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); you may not 7 | * use this file except in compliance with the License. You may obtain a copy 8 | * of the License at http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 13 | * implied. See the License for the specific language governing 14 | * permissions and limitations under the License. 15 | */ 16 | 17 | import ( 18 | "testing" 19 | 20 | "github.com/zmap/zlint/v3/lint" 21 | "github.com/zmap/zlint/v3/test" 22 | ) 23 | 24 | func TestIssuerRDNTwoAttribute(t *testing.T) { 25 | inputPath := "issuerRDNTwoAttribute.pem" 26 | expected := lint.Warn 27 | out := test.TestLint("w_multiple_issuer_rdn", inputPath) 28 | if out.Status != expected { 29 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 30 | } 31 | } 32 | 33 | func TestIssuerRDNOneAttribute(t *testing.T) { 34 | inputPath := "RSASHA1Good.pem" 35 | expected := lint.Pass 36 | out := test.TestLint("w_multiple_issuer_rdn", inputPath) 37 | if out.Status != expected { 38 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /v3/lints/community/lint_rsa_exp_negative_test.go: -------------------------------------------------------------------------------- 1 | package community 2 | 3 | /* 4 | * ZLint Copyright 2024 Regents of the University of Michigan 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); you may not 7 | * use this file except in compliance with the License. You may obtain a copy 8 | * of the License at http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 13 | * implied. See the License for the specific language governing 14 | * permissions and limitations under the License. 15 | */ 16 | 17 | import ( 18 | "testing" 19 | 20 | "github.com/zmap/zlint/v3/lint" 21 | "github.com/zmap/zlint/v3/test" 22 | ) 23 | 24 | // TODO: There should be a test for negative RSA exp. 25 | 26 | func TestRsaExpPositive(t *testing.T) { 27 | inputPath := "IANURIValid.pem" 28 | expected := lint.Pass 29 | out := test.TestLint("e_rsa_exp_negative", inputPath) 30 | if out.Status != expected { 31 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 32 | } 33 | } 34 | -------------------------------------------------------------------------------- /v3/lints/community/lint_san_bare_wildcard_test.go: -------------------------------------------------------------------------------- 1 | package community 2 | 3 | /* 4 | * ZLint Copyright 2024 Regents of the University of Michigan 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); you may not 7 | * use this file except in compliance with the License. You may obtain a copy 8 | * of the License at http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 13 | * implied. See the License for the specific language governing 14 | * permissions and limitations under the License. 15 | */ 16 | 17 | import ( 18 | "testing" 19 | 20 | "github.com/zmap/zlint/v3/lint" 21 | "github.com/zmap/zlint/v3/test" 22 | ) 23 | 24 | func TestBrSANBareWildcard(t *testing.T) { 25 | inputPath := "SANBareWildcard.pem" 26 | expected := lint.Error 27 | out := test.TestLint("e_san_bare_wildcard", inputPath) 28 | if out.Status != expected { 29 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 30 | } 31 | } 32 | 33 | func TestBrSANNotBareWildcard(t *testing.T) { 34 | inputPath := "SANURIValid.pem" 35 | expected := lint.Pass 36 | out := test.TestLint("e_san_bare_wildcard", inputPath) 37 | if out.Status != expected { 38 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /v3/lints/community/lint_san_dns_name_duplicate_test.go: -------------------------------------------------------------------------------- 1 | package community 2 | 3 | /* 4 | * ZLint Copyright 2024 Regents of the University of Michigan 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); you may not 7 | * use this file except in compliance with the License. You may obtain a copy 8 | * of the License at http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 13 | * implied. See the License for the specific language governing 14 | * permissions and limitations under the License. 15 | */ 16 | 17 | import ( 18 | "testing" 19 | 20 | "github.com/zmap/zlint/v3/lint" 21 | "github.com/zmap/zlint/v3/test" 22 | ) 23 | 24 | func TestBrSANDNSDuplicate(t *testing.T) { 25 | inputPath := "SANDNSDuplicate.pem" 26 | expected := lint.Notice 27 | out := test.TestLint("n_san_dns_name_duplicate", inputPath) 28 | if out.Status != expected { 29 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 30 | } 31 | } 32 | -------------------------------------------------------------------------------- /v3/lints/community/lint_san_dns_name_includes_null_char_test.go: -------------------------------------------------------------------------------- 1 | package community 2 | 3 | /* 4 | * ZLint Copyright 2024 Regents of the University of Michigan 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); you may not 7 | * use this file except in compliance with the License. You may obtain a copy 8 | * of the License at http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 13 | * implied. See the License for the specific language governing 14 | * permissions and limitations under the License. 15 | */ 16 | 17 | import ( 18 | "testing" 19 | 20 | "github.com/zmap/zlint/v3/lint" 21 | "github.com/zmap/zlint/v3/test" 22 | ) 23 | 24 | func TestBrSANDNSNull(t *testing.T) { 25 | inputPath := "SANDNSNull.pem" 26 | expected := lint.Error 27 | out := test.TestLint("e_san_dns_name_includes_null_char", inputPath) 28 | if out.Status != expected { 29 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 30 | } 31 | } 32 | 33 | func TestBrSANDNSNotNull(t *testing.T) { 34 | inputPath := "SANURIValid.pem" 35 | expected := lint.Pass 36 | out := test.TestLint("e_san_dns_name_includes_null_char", inputPath) 37 | if out.Status != expected { 38 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /v3/lints/community/lint_san_wildcard_not_first_test.go: -------------------------------------------------------------------------------- 1 | package community 2 | 3 | /* 4 | * ZLint Copyright 2024 Regents of the University of Michigan 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); you may not 7 | * use this file except in compliance with the License. You may obtain a copy 8 | * of the License at http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 13 | * implied. See the License for the specific language governing 14 | * permissions and limitations under the License. 15 | */ 16 | 17 | import ( 18 | "testing" 19 | 20 | "github.com/zmap/zlint/v3/lint" 21 | "github.com/zmap/zlint/v3/test" 22 | ) 23 | 24 | func TestBrSANWildcardFirst(t *testing.T) { 25 | inputPath := "SANWildcardFirst.pem" 26 | expected := lint.Error 27 | out := test.TestLint("e_san_wildcard_not_first", inputPath) 28 | if out.Status != expected { 29 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 30 | } 31 | } 32 | 33 | func TestBrSANWildcardNotFirst(t *testing.T) { 34 | inputPath := "SANURIValid.pem" 35 | expected := lint.Pass 36 | out := test.TestLint("e_san_wildcard_not_first", inputPath) 37 | if out.Status != expected { 38 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /v3/lints/community/lint_subject_multiple_rdn_test.go: -------------------------------------------------------------------------------- 1 | package community 2 | 3 | /* 4 | * ZLint Copyright 2024 Regents of the University of Michigan 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); you may not 7 | * use this file except in compliance with the License. You may obtain a copy 8 | * of the License at http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 13 | * implied. See the License for the specific language governing 14 | * permissions and limitations under the License. 15 | */ 16 | 17 | import ( 18 | "testing" 19 | 20 | "github.com/zmap/zlint/v3/lint" 21 | "github.com/zmap/zlint/v3/test" 22 | ) 23 | 24 | func TestSubjectRDNTwoAttribute(t *testing.T) { 25 | inputPath := "subjectRDNTwoAttribute.pem" 26 | expected := lint.Notice 27 | out := test.TestLint("n_multiple_subject_rdn", inputPath) 28 | if out.Status != expected { 29 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 30 | } 31 | } 32 | 33 | func TestSubjectRDNOneAttribute(t *testing.T) { 34 | inputPath := "RSASHA1Good.pem" 35 | expected := lint.Pass 36 | out := test.TestLint("n_multiple_subject_rdn", inputPath) 37 | if out.Status != expected { 38 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /v3/lints/community/lint_validity_time_not_positive_test.go: -------------------------------------------------------------------------------- 1 | package community 2 | 3 | /* 4 | * ZLint Copyright 2024 Regents of the University of Michigan 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); you may not 7 | * use this file except in compliance with the License. You may obtain a copy 8 | * of the License at http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 13 | * implied. See the License for the specific language governing 14 | * permissions and limitations under the License. 15 | */ 16 | 17 | import ( 18 | "testing" 19 | 20 | "github.com/zmap/zlint/v3/lint" 21 | "github.com/zmap/zlint/v3/test" 22 | ) 23 | 24 | func TestValidityNegative(t *testing.T) { 25 | inputPath := "validityNegative.pem" 26 | expected := lint.Error 27 | out := test.TestLint("e_validity_time_not_positive", inputPath) 28 | if out.Status != expected { 29 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 30 | } 31 | } 32 | 33 | func TestValidityPositive(t *testing.T) { 34 | inputPath := "IANURIValid.pem" 35 | expected := lint.Pass 36 | out := test.TestLint("e_validity_time_not_positive", inputPath) 37 | if out.Status != expected { 38 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /v3/lints/etsi/lint_qcstatem_etsi_present_qcs_critical_test.go: -------------------------------------------------------------------------------- 1 | package etsi 2 | 3 | /* 4 | * ZLint Copyright 2024 Regents of the University of Michigan 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); you may not 7 | * use this file except in compliance with the License. You may obtain a copy 8 | * of the License at http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 13 | * implied. See the License for the specific language governing 14 | * permissions and limitations under the License. 15 | */ 16 | 17 | import ( 18 | "testing" 19 | 20 | "github.com/zmap/zlint/v3/lint" 21 | "github.com/zmap/zlint/v3/test" 22 | ) 23 | 24 | func TestEtsiPresentQcsCriticalAgainstQcsTestCerts(t *testing.T) { 25 | m := map[string]lint.LintStatus{ 26 | "QcStmtEtsiWrongCriticalityCert06.pem": lint.Error, 27 | "QcStmtEtsiValidCert03.pem": lint.Pass, 28 | "QcStmtEtsiNoQcStatmentsCert22.pem": lint.NA, 29 | } 30 | for inputPath, expected := range m { 31 | out := test.TestLint("e_qcstatem_etsi_present_qcs_critical", inputPath) 32 | 33 | if out.Status != expected { 34 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 35 | } 36 | } 37 | } 38 | -------------------------------------------------------------------------------- /v3/lints/etsi/lint_qcstatem_qcpds_https_url_test.go: -------------------------------------------------------------------------------- 1 | package etsi 2 | 3 | /* 4 | * ZLint Copyright 2025 Regents of the University of Michigan 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); you may not 7 | * use this file except in compliance with the License. You may obtain a copy 8 | * of the License at http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 13 | * implied. See the License for the specific language governing 14 | * permissions and limitations under the License. 15 | */ 16 | 17 | import ( 18 | "testing" 19 | 20 | "github.com/zmap/zlint/v3/lint" 21 | "github.com/zmap/zlint/v3/test" 22 | ) 23 | 24 | func TestQcStatemPdsHttpsOnly(t *testing.T) { 25 | m := map[string]lint.LintStatus{ 26 | "QcStmtEtsiTwoEnglPdsCert12.pem": lint.NE, 27 | "qcLegal.pem": lint.NA, 28 | "pdsAllHttps.pem": lint.Pass, 29 | "pdsOneHttp.pem": lint.Error, 30 | } 31 | for inputPath, expected := range m { 32 | out := test.TestLint("e_qcstatem_pds_must_have_https_only", inputPath) 33 | 34 | if out.Status != expected { 35 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 36 | } 37 | } 38 | } 39 | -------------------------------------------------------------------------------- /v3/lints/etsi/lint_qcstatem_qctype_valid_test.go: -------------------------------------------------------------------------------- 1 | package etsi 2 | 3 | /* 4 | * ZLint Copyright 2024 Regents of the University of Michigan 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); you may not 7 | * use this file except in compliance with the License. You may obtain a copy 8 | * of the License at http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 13 | * implied. See the License for the specific language governing 14 | * permissions and limitations under the License. 15 | */ 16 | 17 | import ( 18 | "testing" 19 | 20 | "github.com/zmap/zlint/v3/lint" 21 | "github.com/zmap/zlint/v3/test" 22 | ) 23 | 24 | func TestEtsiQcType(t *testing.T) { 25 | m := map[string]lint.LintStatus{ 26 | "QcStmtEtsiValidCert03.pem": lint.Pass, 27 | "QcStmtEtsiValidCert11.pem": lint.Pass, 28 | "QcStmtEtsiValidAddLangCert13.pem": lint.Pass, 29 | "QcStmtEtsiEsealValidCert02.pem": lint.Pass, 30 | "QcStmtEtsiNoQcStatmentsCert22.pem": lint.NA, 31 | } 32 | for inputPath, expected := range m { 33 | out := test.TestLint("e_qcstatem_qctype_valid", inputPath) 34 | 35 | if out.Status != expected { 36 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 37 | } 38 | } 39 | } 40 | -------------------------------------------------------------------------------- /v3/lints/rfc/lint_ca_subject_field_empty_test.go: -------------------------------------------------------------------------------- 1 | package rfc 2 | 3 | /* 4 | * ZLint Copyright 2024 Regents of the University of Michigan 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); you may not 7 | * use this file except in compliance with the License. You may obtain a copy 8 | * of the License at http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 13 | * implied. See the License for the specific language governing 14 | * permissions and limitations under the License. 15 | */ 16 | 17 | import ( 18 | "testing" 19 | 20 | "github.com/zmap/zlint/v3/lint" 21 | "github.com/zmap/zlint/v3/test" 22 | ) 23 | 24 | func TestCaSubjectMissing(t *testing.T) { 25 | inputPath := "caSubjectMissing.pem" 26 | expected := lint.Error 27 | out := test.TestLint("e_ca_subject_field_empty", inputPath) 28 | if out.Status != expected { 29 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 30 | } 31 | } 32 | 33 | func TestCaSubjectValid(t *testing.T) { 34 | inputPath := "caValCountry.pem" 35 | expected := lint.Pass 36 | out := test.TestLint("e_ca_subject_field_empty", inputPath) 37 | if out.Status != expected { 38 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /v3/lints/rfc/lint_crl_has_next_update_test.go: -------------------------------------------------------------------------------- 1 | package rfc 2 | 3 | import ( 4 | "testing" 5 | 6 | "github.com/zmap/zlint/v3/lint" 7 | "github.com/zmap/zlint/v3/test" 8 | ) 9 | 10 | /* 11 | * ZLint Copyright 2024 Regents of the University of Michigan 12 | * 13 | * Licensed under the Apache License, Version 2.0 (the "License"); you may not 14 | * use this file except in compliance with the License. You may obtain a copy 15 | * of the License at http://www.apache.org/licenses/LICENSE-2.0 16 | * 17 | * Unless required by applicable law or agreed to in writing, software 18 | * distributed under the License is distributed on an "AS IS" BASIS, 19 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 20 | * implied. See the License for the specific language governing 21 | * permissions and limitations under the License. 22 | */ 23 | 24 | func TestCrlHasNextUpdate(t *testing.T) { 25 | inputPath := "crlHasNextUpdate.pem" 26 | want := lint.Pass 27 | got := test.TestRevocationListLint(t, "e_crl_has_next_update", inputPath).Status 28 | 29 | if want != got { 30 | t.Errorf("%s: expected %s, got %s", inputPath, want, got) 31 | } 32 | } 33 | 34 | func TestCrlNotHaveNextUpdate(t *testing.T) { 35 | inputPath := "crlNotHaveNextUpdate.pem" 36 | want := lint.Error 37 | got := test.TestRevocationListLint(t, "e_crl_has_next_update", inputPath).Status 38 | 39 | if want != got { 40 | t.Errorf("%s: expected %s, got %s", inputPath, want, got) 41 | } 42 | } 43 | -------------------------------------------------------------------------------- /v3/lints/rfc/lint_distribution_point_incomplete_test.go: -------------------------------------------------------------------------------- 1 | package rfc 2 | 3 | /* 4 | * ZLint Copyright 2024 Regents of the University of Michigan 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); you may not 7 | * use this file except in compliance with the License. You may obtain a copy 8 | * of the License at http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 13 | * implied. See the License for the specific language governing 14 | * permissions and limitations under the License. 15 | */ 16 | 17 | import ( 18 | "testing" 19 | 20 | "github.com/zmap/zlint/v3/lint" 21 | "github.com/zmap/zlint/v3/test" 22 | ) 23 | 24 | func TestCRLCompleteDp(t *testing.T) { 25 | inputPath := "crlComlepteDp.pem" 26 | expected := lint.Pass 27 | out := test.TestLint("e_distribution_point_incomplete", inputPath) 28 | if out.Status != expected { 29 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 30 | } 31 | } 32 | 33 | func TestCRLIncompleteDp(t *testing.T) { 34 | inputPath := "crlIncomlepteDp.pem" 35 | expected := lint.Error 36 | out := test.TestLint("e_distribution_point_incomplete", inputPath) 37 | if out.Status != expected { 38 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /v3/lints/rfc/lint_dnsname_contains_empty_label_test.go: -------------------------------------------------------------------------------- 1 | package rfc 2 | 3 | /* 4 | * ZLint Copyright 2024 Regents of the University of Michigan 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); you may not 7 | * use this file except in compliance with the License. You may obtain a copy 8 | * of the License at http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 13 | * implied. See the License for the specific language governing 14 | * permissions and limitations under the License. 15 | */ 16 | 17 | import ( 18 | "testing" 19 | 20 | "github.com/zmap/zlint/v3/lint" 21 | "github.com/zmap/zlint/v3/test" 22 | ) 23 | 24 | func TestDNSNameEmptyLabel(t *testing.T) { 25 | inputPath := "dnsNameEmptyLabel.pem" 26 | expected := lint.Error 27 | out := test.TestLint("e_rfc_dnsname_empty_label", inputPath) 28 | if out.Status != expected { 29 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 30 | } 31 | } 32 | 33 | func TestDNSNameNotEmptyLabel(t *testing.T) { 34 | inputPath := "dnsNameNotEmptyLabel.pem" 35 | expected := lint.Pass 36 | out := test.TestLint("e_rfc_dnsname_empty_label", inputPath) 37 | if out.Status != expected { 38 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /v3/lints/rfc/lint_dnsname_label_too_long_test.go: -------------------------------------------------------------------------------- 1 | package rfc 2 | 3 | /* 4 | * ZLint Copyright 2024 Regents of the University of Michigan 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); you may not 7 | * use this file except in compliance with the License. You may obtain a copy 8 | * of the License at http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 13 | * implied. See the License for the specific language governing 14 | * permissions and limitations under the License. 15 | */ 16 | 17 | import ( 18 | "testing" 19 | 20 | "github.com/zmap/zlint/v3/lint" 21 | "github.com/zmap/zlint/v3/test" 22 | ) 23 | 24 | func TestDNSNameLabelTooLong(t *testing.T) { 25 | inputPath := "dnsNameLabelTooLong.pem" 26 | expected := lint.Error 27 | out := test.TestLint("e_rfc_dnsname_label_too_long", inputPath) 28 | if out.Status != expected { 29 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 30 | } 31 | } 32 | -------------------------------------------------------------------------------- /v3/lints/rfc/lint_ext_aia_marked_critical_test.go: -------------------------------------------------------------------------------- 1 | package rfc 2 | 3 | /* 4 | * ZLint Copyright 2024 Regents of the University of Michigan 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); you may not 7 | * use this file except in compliance with the License. You may obtain a copy 8 | * of the License at http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 13 | * implied. See the License for the specific language governing 14 | * permissions and limitations under the License. 15 | */ 16 | 17 | import ( 18 | "testing" 19 | 20 | "github.com/zmap/zlint/v3/lint" 21 | "github.com/zmap/zlint/v3/test" 22 | ) 23 | 24 | func TestAiaCrit(t *testing.T) { 25 | inputPath := "aiaCrit.pem" 26 | expected := lint.Error 27 | out := test.TestLint("e_ext_aia_marked_critical", inputPath) 28 | if out.Status != expected { 29 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 30 | } 31 | } 32 | 33 | func TestAiaNotCrit(t *testing.T) { 34 | inputPath := "subCAAIAValid.pem" 35 | expected := lint.Pass 36 | out := test.TestLint("e_ext_aia_marked_critical", inputPath) 37 | if out.Status != expected { 38 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /v3/lints/rfc/lint_ext_ian_critical_test.go: -------------------------------------------------------------------------------- 1 | package rfc 2 | 3 | /* 4 | * ZLint Copyright 2024 Regents of the University of Michigan 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); you may not 7 | * use this file except in compliance with the License. You may obtain a copy 8 | * of the License at http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 13 | * implied. See the License for the specific language governing 14 | * permissions and limitations under the License. 15 | */ 16 | 17 | import ( 18 | "testing" 19 | 20 | "github.com/zmap/zlint/v3/lint" 21 | "github.com/zmap/zlint/v3/test" 22 | ) 23 | 24 | func TestIANCrit(t *testing.T) { 25 | inputPath := "IANCritical.pem" 26 | expected := lint.Warn 27 | out := test.TestLint("w_ext_ian_critical", inputPath) 28 | if out.Status != expected { 29 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 30 | } 31 | } 32 | 33 | func TestIANNotCrit(t *testing.T) { 34 | inputPath := "IANNotCritical.pem" 35 | expected := lint.Pass 36 | out := test.TestLint("w_ext_ian_critical", inputPath) 37 | if out.Status != expected { 38 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /v3/lints/rfc/lint_ext_ian_dns_not_ia5_string_test.go: -------------------------------------------------------------------------------- 1 | package rfc 2 | 3 | /* 4 | * ZLint Copyright 2024 Regents of the University of Michigan 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); you may not 7 | * use this file except in compliance with the License. You may obtain a copy 8 | * of the License at http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 13 | * implied. See the License for the specific language governing 14 | * permissions and limitations under the License. 15 | */ 16 | 17 | import ( 18 | "testing" 19 | 20 | "github.com/zmap/zlint/v3/lint" 21 | "github.com/zmap/zlint/v3/test" 22 | ) 23 | 24 | func TestIANDNSIA5String(t *testing.T) { 25 | inputPath := "IANDNSIA5String.pem" 26 | expected := lint.Pass 27 | out := test.TestLint("e_ext_ian_dns_not_ia5_string", inputPath) 28 | if out.Status != expected { 29 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 30 | } 31 | } 32 | 33 | func TestIANDNSNotIA5String(t *testing.T) { 34 | inputPath := "IANDNSNotIA5String.pem" 35 | expected := lint.Error 36 | out := test.TestLint("e_ext_ian_dns_not_ia5_string", inputPath) 37 | if out.Status != expected { 38 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /v3/lints/rfc/lint_ext_ian_empty_name_test.go: -------------------------------------------------------------------------------- 1 | package rfc 2 | 3 | /* 4 | * ZLint Copyright 2024 Regents of the University of Michigan 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); you may not 7 | * use this file except in compliance with the License. You may obtain a copy 8 | * of the License at http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 13 | * implied. See the License for the specific language governing 14 | * permissions and limitations under the License. 15 | */ 16 | 17 | import ( 18 | "testing" 19 | 20 | "github.com/zmap/zlint/v3/lint" 21 | "github.com/zmap/zlint/v3/test" 22 | ) 23 | 24 | func TestIANEmptyName(t *testing.T) { 25 | inputPath := "IANEmptyName.pem" 26 | expected := lint.Error 27 | out := test.TestLint("e_ext_ian_empty_name", inputPath) 28 | if out.Status != expected { 29 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 30 | } 31 | } 32 | 33 | func TestIANNotEmptyName(t *testing.T) { 34 | inputPath := "IANDNSIA5String.pem" 35 | expected := lint.Pass 36 | out := test.TestLint("e_ext_ian_empty_name", inputPath) 37 | if out.Status != expected { 38 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /v3/lints/rfc/lint_ext_ian_no_entries_test.go: -------------------------------------------------------------------------------- 1 | package rfc 2 | 3 | /* 4 | * ZLint Copyright 2024 Regents of the University of Michigan 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); you may not 7 | * use this file except in compliance with the License. You may obtain a copy 8 | * of the License at http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 13 | * implied. See the License for the specific language governing 14 | * permissions and limitations under the License. 15 | */ 16 | 17 | import ( 18 | "testing" 19 | 20 | "github.com/zmap/zlint/v3/lint" 21 | "github.com/zmap/zlint/v3/test" 22 | ) 23 | 24 | func TestIANNoEntry(t *testing.T) { 25 | inputPath := "IANEmpty.pem" 26 | expected := lint.Error 27 | out := test.TestLint("e_ext_ian_no_entries", inputPath) 28 | if out.Status != expected { 29 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 30 | } 31 | } 32 | 33 | func TestIANHasEntry(t *testing.T) { 34 | inputPath := "IANDNSIA5String.pem" 35 | expected := lint.Pass 36 | out := test.TestLint("e_ext_ian_no_entries", inputPath) 37 | if out.Status != expected { 38 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /v3/lints/rfc/lint_ext_ian_rfc822_format_invalid_test.go: -------------------------------------------------------------------------------- 1 | package rfc 2 | 3 | /* 4 | * ZLint Copyright 2024 Regents of the University of Michigan 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); you may not 7 | * use this file except in compliance with the License. You may obtain a copy 8 | * of the License at http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 13 | * implied. See the License for the specific language governing 14 | * permissions and limitations under the License. 15 | */ 16 | 17 | import ( 18 | "testing" 19 | 20 | "github.com/zmap/zlint/v3/lint" 21 | "github.com/zmap/zlint/v3/test" 22 | ) 23 | 24 | func TestIANInvalidEmail(t *testing.T) { 25 | inputPath := "IANInvalidEmail.pem" 26 | expected := lint.Error 27 | out := test.TestLint("e_ext_ian_rfc822_format_invalid", inputPath) 28 | if out.Status != expected { 29 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 30 | } 31 | } 32 | 33 | func TestIANValidEmail(t *testing.T) { 34 | inputPath := "IANValidEmail.pem" 35 | expected := lint.Pass 36 | out := test.TestLint("e_ext_ian_rfc822_format_invalid", inputPath) 37 | if out.Status != expected { 38 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /v3/lints/rfc/lint_ext_ian_space_dns_name_test.go: -------------------------------------------------------------------------------- 1 | package rfc 2 | 3 | /* 4 | * ZLint Copyright 2024 Regents of the University of Michigan 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); you may not 7 | * use this file except in compliance with the License. You may obtain a copy 8 | * of the License at http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 13 | * implied. See the License for the specific language governing 14 | * permissions and limitations under the License. 15 | */ 16 | 17 | import ( 18 | "testing" 19 | 20 | "github.com/zmap/zlint/v3/lint" 21 | "github.com/zmap/zlint/v3/test" 22 | ) 23 | 24 | func TestIANEmptyDNS(t *testing.T) { 25 | inputPath := "IANEmptyDNS.pem" 26 | expected := lint.Error 27 | out := test.TestLint("e_ext_ian_space_dns_name", inputPath) 28 | if out.Status != expected { 29 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 30 | } 31 | } 32 | 33 | func TestIANNotEmptyDNS(t *testing.T) { 34 | inputPath := "IANNonEmptyDNS.pem" 35 | expected := lint.Pass 36 | out := test.TestLint("e_ext_ian_space_dns_name", inputPath) 37 | if out.Status != expected { 38 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /v3/lints/rfc/lint_ext_ian_uri_not_ia5_test.go: -------------------------------------------------------------------------------- 1 | package rfc 2 | 3 | /* 4 | * ZLint Copyright 2024 Regents of the University of Michigan 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); you may not 7 | * use this file except in compliance with the License. You may obtain a copy 8 | * of the License at http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 13 | * implied. See the License for the specific language governing 14 | * permissions and limitations under the License. 15 | */ 16 | 17 | import ( 18 | "testing" 19 | 20 | "github.com/zmap/zlint/v3/lint" 21 | "github.com/zmap/zlint/v3/test" 22 | ) 23 | 24 | func TestIANURIIA5(t *testing.T) { 25 | inputPath := "IANURIIA5String.pem" 26 | expected := lint.Pass 27 | out := test.TestLint("e_ext_ian_uri_not_ia5", inputPath) 28 | if out.Status != expected { 29 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 30 | } 31 | } 32 | 33 | func TestIANURINotIA5(t *testing.T) { 34 | inputPath := "IANURINotIA5String.pem" 35 | expected := lint.Error 36 | out := test.TestLint("e_ext_ian_uri_not_ia5", inputPath) 37 | if out.Status != expected { 38 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /v3/lints/rfc/lint_ext_ian_uri_relative_test.go: -------------------------------------------------------------------------------- 1 | package rfc 2 | 3 | /* 4 | * ZLint Copyright 2024 Regents of the University of Michigan 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); you may not 7 | * use this file except in compliance with the License. You may obtain a copy 8 | * of the License at http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 13 | * implied. See the License for the specific language governing 14 | * permissions and limitations under the License. 15 | */ 16 | 17 | import ( 18 | "testing" 19 | 20 | "github.com/zmap/zlint/v3/lint" 21 | "github.com/zmap/zlint/v3/test" 22 | ) 23 | 24 | func TestIANURIRelative(t *testing.T) { 25 | inputPath := "IANURINoScheme.pem" 26 | expected := lint.Error 27 | out := test.TestLint("e_ext_ian_uri_relative", inputPath) 28 | if out.Status != expected { 29 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 30 | } 31 | } 32 | 33 | func TestIANURIAbsolute(t *testing.T) { 34 | inputPath := "IANURIValid.pem" 35 | expected := lint.Pass 36 | out := test.TestLint("e_ext_ian_uri_relative", inputPath) 37 | if out.Status != expected { 38 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /v3/lints/rfc/lint_ext_policy_map_not_critical_test.go: -------------------------------------------------------------------------------- 1 | package rfc 2 | 3 | /* 4 | * ZLint Copyright 2024 Regents of the University of Michigan 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); you may not 7 | * use this file except in compliance with the License. You may obtain a copy 8 | * of the License at http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 13 | * implied. See the License for the specific language governing 14 | * permissions and limitations under the License. 15 | */ 16 | 17 | import ( 18 | "testing" 19 | 20 | "github.com/zmap/zlint/v3/lint" 21 | "github.com/zmap/zlint/v3/test" 22 | ) 23 | 24 | func TestPolicyMapNotCrit(t *testing.T) { 25 | inputPath := "policyMapNotCritical.pem" 26 | expected := lint.Warn 27 | out := test.TestLint("w_ext_policy_map_not_critical", inputPath) 28 | if out.Status != expected { 29 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 30 | } 31 | } 32 | 33 | func TestPolicyMapCrit(t *testing.T) { 34 | inputPath := "policyMapGood.pem" 35 | expected := lint.Pass 36 | out := test.TestLint("w_ext_policy_map_not_critical", inputPath) 37 | if out.Status != expected { 38 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /v3/lints/rfc/lint_ext_san_dns_name_too_long_test.go: -------------------------------------------------------------------------------- 1 | package rfc 2 | 3 | /* 4 | * ZLint Copyright 2024 Regents of the University of Michigan 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); you may not 7 | * use this file except in compliance with the License. You may obtain a copy 8 | * of the License at http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 13 | * implied. See the License for the specific language governing 14 | * permissions and limitations under the License. 15 | */ 16 | 17 | import ( 18 | "testing" 19 | 20 | "github.com/zmap/zlint/v3/lint" 21 | "github.com/zmap/zlint/v3/test" 22 | ) 23 | 24 | func TestSANDNSShort(t *testing.T) { 25 | inputPath := "orgValGoodAllFields.pem" 26 | expected := lint.Pass 27 | out := test.TestLint("e_ext_san_dns_name_too_long", inputPath) 28 | if out.Status != expected { 29 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 30 | } 31 | } 32 | 33 | func TestSANDNSTooLong(t *testing.T) { 34 | inputPath := "SANDNSTooLong.pem" 35 | expected := lint.Error 36 | out := test.TestLint("e_ext_san_dns_name_too_long", inputPath) 37 | if out.Status != expected { 38 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /v3/lints/rfc/lint_ext_san_dns_not_ia5_string_test.go: -------------------------------------------------------------------------------- 1 | package rfc 2 | 3 | /* 4 | * ZLint Copyright 2024 Regents of the University of Michigan 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); you may not 7 | * use this file except in compliance with the License. You may obtain a copy 8 | * of the License at http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 13 | * implied. See the License for the specific language governing 14 | * permissions and limitations under the License. 15 | */ 16 | 17 | import ( 18 | "testing" 19 | 20 | "github.com/zmap/zlint/v3/lint" 21 | "github.com/zmap/zlint/v3/test" 22 | ) 23 | 24 | func TestSANDNSNotIA5String(t *testing.T) { 25 | inputPath := "SANDNSNotIA5String.pem" 26 | expected := lint.Error 27 | out := test.TestLint("e_ext_san_dns_not_ia5_string", inputPath) 28 | if out.Status != expected { 29 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 30 | } 31 | } 32 | 33 | func TestSANDNSIA5String(t *testing.T) { 34 | inputPath := "SANCaGood.pem" 35 | expected := lint.Pass 36 | out := test.TestLint("e_ext_san_dns_not_ia5_string", inputPath) 37 | if out.Status != expected { 38 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /v3/lints/rfc/lint_ext_san_empty_name_test.go: -------------------------------------------------------------------------------- 1 | package rfc 2 | 3 | /* 4 | * ZLint Copyright 2024 Regents of the University of Michigan 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); you may not 7 | * use this file except in compliance with the License. You may obtain a copy 8 | * of the License at http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 13 | * implied. See the License for the specific language governing 14 | * permissions and limitations under the License. 15 | */ 16 | 17 | import ( 18 | "testing" 19 | 20 | "github.com/zmap/zlint/v3/lint" 21 | "github.com/zmap/zlint/v3/test" 22 | ) 23 | 24 | func TestSANEmptyName(t *testing.T) { 25 | inputPath := "SANEmptyName.pem" 26 | expected := lint.Error 27 | out := test.TestLint("e_ext_san_empty_name", inputPath) 28 | if out.Status != expected { 29 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 30 | } 31 | } 32 | 33 | func TestSANNotEmptyName(t *testing.T) { 34 | inputPath := "SANCaGood.pem" 35 | expected := lint.Pass 36 | out := test.TestLint("e_ext_san_empty_name", inputPath) 37 | if out.Status != expected { 38 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /v3/lints/rfc/lint_ext_san_no_entries_test.go: -------------------------------------------------------------------------------- 1 | package rfc 2 | 3 | /* 4 | * ZLint Copyright 2024 Regents of the University of Michigan 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); you may not 7 | * use this file except in compliance with the License. You may obtain a copy 8 | * of the License at http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 13 | * implied. See the License for the specific language governing 14 | * permissions and limitations under the License. 15 | */ 16 | 17 | import ( 18 | "testing" 19 | 20 | "github.com/zmap/zlint/v3/lint" 21 | "github.com/zmap/zlint/v3/test" 22 | ) 23 | 24 | func TestSANNoEntry(t *testing.T) { 25 | inputPath := "SANNoEntries.pem" 26 | expected := lint.Error 27 | out := test.TestLint("e_ext_san_no_entries", inputPath) 28 | if out.Status != expected { 29 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 30 | } 31 | } 32 | 33 | func TestSANHasEntry(t *testing.T) { 34 | inputPath := "orgValGoodAllFields.pem" 35 | expected := lint.Pass 36 | out := test.TestLint("e_ext_san_no_entries", inputPath) 37 | if out.Status != expected { 38 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /v3/lints/rfc/lint_ext_san_space_dns_name_test.go: -------------------------------------------------------------------------------- 1 | package rfc 2 | 3 | /* 4 | * ZLint Copyright 2024 Regents of the University of Michigan 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); you may not 7 | * use this file except in compliance with the License. You may obtain a copy 8 | * of the License at http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 13 | * implied. See the License for the specific language governing 14 | * permissions and limitations under the License. 15 | */ 16 | 17 | import ( 18 | "testing" 19 | 20 | "github.com/zmap/zlint/v3/lint" 21 | "github.com/zmap/zlint/v3/test" 22 | ) 23 | 24 | func TestSANGood(t *testing.T) { 25 | inputPath := "orgValGoodAllFields.pem" 26 | expected := lint.Pass 27 | out := test.TestLint("e_ext_san_space_dns_name", inputPath) 28 | if out.Status != expected { 29 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 30 | } 31 | } 32 | 33 | func TestSANSpace(t *testing.T) { 34 | inputPath := "SANWithSpaceDNS.pem" 35 | expected := lint.Error 36 | out := test.TestLint("e_ext_san_space_dns_name", inputPath) 37 | if out.Status != expected { 38 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /v3/lints/rfc/lint_ext_san_uri_not_ia5_test.go: -------------------------------------------------------------------------------- 1 | package rfc 2 | 3 | /* 4 | * ZLint Copyright 2024 Regents of the University of Michigan 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); you may not 7 | * use this file except in compliance with the License. You may obtain a copy 8 | * of the License at http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 13 | * implied. See the License for the specific language governing 14 | * permissions and limitations under the License. 15 | */ 16 | 17 | import ( 18 | "testing" 19 | 20 | "github.com/zmap/zlint/v3/lint" 21 | "github.com/zmap/zlint/v3/test" 22 | ) 23 | 24 | func TestSANURIIA5(t *testing.T) { 25 | inputPath := "SANURIIA5.pem" 26 | expected := lint.Pass 27 | out := test.TestLint("e_ext_san_uri_not_ia5", inputPath) 28 | if out.Status != expected { 29 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 30 | } 31 | } 32 | 33 | func TestSANURINotIA5(t *testing.T) { 34 | inputPath := "SANURINotIA5.pem" 35 | expected := lint.Error 36 | out := test.TestLint("e_ext_san_uri_not_ia5", inputPath) 37 | if out.Status != expected { 38 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /v3/lints/rfc/lint_ext_san_uri_relative_test.go: -------------------------------------------------------------------------------- 1 | package rfc 2 | 3 | /* 4 | * ZLint Copyright 2024 Regents of the University of Michigan 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); you may not 7 | * use this file except in compliance with the License. You may obtain a copy 8 | * of the License at http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 13 | * implied. See the License for the specific language governing 14 | * permissions and limitations under the License. 15 | */ 16 | 17 | import ( 18 | "testing" 19 | 20 | "github.com/zmap/zlint/v3/lint" 21 | "github.com/zmap/zlint/v3/test" 22 | ) 23 | 24 | func TestSANURIRelative(t *testing.T) { 25 | inputPath := "SANURIRelative.pem" 26 | expected := lint.Error 27 | out := test.TestLint("e_ext_san_uri_relative", inputPath) 28 | if out.Status != expected { 29 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 30 | } 31 | } 32 | 33 | func TestSANURIAbsolute(t *testing.T) { 34 | inputPath := "SANURIAbsolute.pem" 35 | expected := lint.Pass 36 | out := test.TestLint("e_ext_san_uri_relative", inputPath) 37 | if out.Status != expected { 38 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /v3/lints/rfc/lint_ext_subject_directory_attr_critical_test.go: -------------------------------------------------------------------------------- 1 | package rfc 2 | 3 | /* 4 | * ZLint Copyright 2024 Regents of the University of Michigan 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); you may not 7 | * use this file except in compliance with the License. You may obtain a copy 8 | * of the License at http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 13 | * implied. See the License for the specific language governing 14 | * permissions and limitations under the License. 15 | */ 16 | 17 | import ( 18 | "testing" 19 | 20 | "github.com/zmap/zlint/v3/lint" 21 | "github.com/zmap/zlint/v3/test" 22 | ) 23 | 24 | func TestSdaCrit(t *testing.T) { 25 | inputPath := "subDirAttCritical.pem" 26 | expected := lint.Error 27 | out := test.TestLint("e_ext_subject_directory_attr_critical", inputPath) 28 | if out.Status != expected { 29 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 30 | } 31 | } 32 | 33 | func TestSdaNotCrit(t *testing.T) { 34 | inputPath := "RFC5280example2.pem" 35 | expected := lint.Pass 36 | out := test.TestLint("e_ext_subject_directory_attr_critical", inputPath) 37 | if out.Status != expected { 38 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /v3/lints/rfc/lint_ext_subject_key_identifier_critical_test.go: -------------------------------------------------------------------------------- 1 | package rfc 2 | 3 | /* 4 | * ZLint Copyright 2024 Regents of the University of Michigan 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); you may not 7 | * use this file except in compliance with the License. You may obtain a copy 8 | * of the License at http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 13 | * implied. See the License for the specific language governing 14 | * permissions and limitations under the License. 15 | */ 16 | 17 | import ( 18 | "testing" 19 | 20 | "github.com/zmap/zlint/v3/lint" 21 | "github.com/zmap/zlint/v3/test" 22 | ) 23 | 24 | func TestSkiCrit(t *testing.T) { 25 | inputPath := "skiCriticalCA.pem" 26 | expected := lint.Error 27 | out := test.TestLint("e_ext_subject_key_identifier_critical", inputPath) 28 | if out.Status != expected { 29 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 30 | } 31 | } 32 | 33 | func TestSkiNotCrit(t *testing.T) { 34 | inputPath := "skiNotCriticalCA.pem" 35 | expected := lint.Pass 36 | out := test.TestLint("e_ext_subject_key_identifier_critical", inputPath) 37 | if out.Status != expected { 38 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /v3/lints/rfc/lint_idn_dnsname_must_be_nfc_test.go: -------------------------------------------------------------------------------- 1 | package rfc 2 | 3 | /* 4 | * ZLint Copyright 2024 Regents of the University of Michigan 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); you may not 7 | * use this file except in compliance with the License. You may obtain a copy 8 | * of the License at http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 13 | * implied. See the License for the specific language governing 14 | * permissions and limitations under the License. 15 | */ 16 | 17 | import ( 18 | "testing" 19 | 20 | "github.com/zmap/zlint/v3/lint" 21 | "github.com/zmap/zlint/v3/test" 22 | ) 23 | 24 | func TestIDNDnsNameNotNFC(t *testing.T) { 25 | inputPath := "dnsNamesNotNFC.pem" 26 | expected := lint.Error 27 | out := test.TestLint("e_international_dns_name_not_nfc", inputPath) 28 | if out.Status != expected { 29 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 30 | } 31 | } 32 | 33 | func TestIDNDnsNameIsNFC(t *testing.T) { 34 | inputPath := "dnsNamesNFC.pem" 35 | expected := lint.Pass 36 | out := test.TestLint("e_international_dns_name_not_nfc", inputPath) 37 | if out.Status != expected { 38 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /v3/lints/rfc/lint_issuer_field_empty_test.go: -------------------------------------------------------------------------------- 1 | package rfc 2 | 3 | /* 4 | * ZLint Copyright 2024 Regents of the University of Michigan 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); you may not 7 | * use this file except in compliance with the License. You may obtain a copy 8 | * of the License at http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 13 | * implied. See the License for the specific language governing 14 | * permissions and limitations under the License. 15 | */ 16 | 17 | import ( 18 | "testing" 19 | 20 | "github.com/zmap/zlint/v3/lint" 21 | "github.com/zmap/zlint/v3/test" 22 | ) 23 | 24 | func TestNoIssuerField(t *testing.T) { 25 | inputPath := "issuerFieldMissing.pem" 26 | expected := lint.Error 27 | out := test.TestLint("e_issuer_field_empty", inputPath) 28 | if out.Status != expected { 29 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 30 | } 31 | } 32 | 33 | func TestHasIssuerField(t *testing.T) { 34 | inputPath := "issuerFieldFilled.pem" 35 | expected := lint.Pass 36 | out := test.TestLint("e_issuer_field_empty", inputPath) 37 | if out.Status != expected { 38 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /v3/lints/rfc/lint_name_constraint_empty_test.go: -------------------------------------------------------------------------------- 1 | package rfc 2 | 3 | /* 4 | * ZLint Copyright 2024 Regents of the University of Michigan 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); you may not 7 | * use this file except in compliance with the License. You may obtain a copy 8 | * of the License at http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 13 | * implied. See the License for the specific language governing 14 | * permissions and limitations under the License. 15 | */ 16 | 17 | import ( 18 | "testing" 19 | 20 | "github.com/zmap/zlint/v3/lint" 21 | "github.com/zmap/zlint/v3/test" 22 | ) 23 | 24 | func TestNoNameConstraint(t *testing.T) { 25 | inputPath := "noNameConstraint.pem" 26 | expected := lint.Error 27 | out := test.TestLint("e_name_constraint_empty", inputPath) 28 | if out.Status != expected { 29 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 30 | } 31 | } 32 | 33 | func TestHasNameConstraint(t *testing.T) { 34 | inputPath := "yesNameConstraint.pem" 35 | expected := lint.Pass 36 | out := test.TestLint("e_name_constraint_empty", inputPath) 37 | if out.Status != expected { 38 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /v3/lints/rfc/lint_name_constraint_minimum_non_zero_test.go: -------------------------------------------------------------------------------- 1 | package rfc 2 | 3 | /* 4 | * ZLint Copyright 2024 Regents of the University of Michigan 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); you may not 7 | * use this file except in compliance with the License. You may obtain a copy 8 | * of the License at http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 13 | * implied. See the License for the specific language governing 14 | * permissions and limitations under the License. 15 | */ 16 | 17 | import ( 18 | "testing" 19 | 20 | "github.com/zmap/zlint/v3/lint" 21 | "github.com/zmap/zlint/v3/test" 22 | ) 23 | 24 | func TestNcMinZero(t *testing.T) { 25 | inputPath := "ncMinZero.pem" 26 | expected := lint.Pass 27 | out := test.TestLint("e_name_constraint_minimum_non_zero", inputPath) 28 | if out.Status != expected { 29 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 30 | } 31 | } 32 | 33 | func TestNcMinNotZero(t *testing.T) { 34 | inputPath := "ncMinPres.pem" 35 | expected := lint.Error 36 | out := test.TestLint("e_name_constraint_minimum_non_zero", inputPath) 37 | if out.Status != expected { 38 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /v3/lints/rfc/lint_name_constraint_on_edi_party_name_test.go: -------------------------------------------------------------------------------- 1 | package rfc 2 | 3 | /* 4 | * ZLint Copyright 2024 Regents of the University of Michigan 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); you may not 7 | * use this file except in compliance with the License. You may obtain a copy 8 | * of the License at http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 13 | * implied. See the License for the specific language governing 14 | * permissions and limitations under the License. 15 | */ 16 | 17 | import ( 18 | "testing" 19 | 20 | "github.com/zmap/zlint/v3/lint" 21 | "github.com/zmap/zlint/v3/test" 22 | ) 23 | 24 | func TestNcNoEDI(t *testing.T) { 25 | inputPath := "ncMinZero.pem" 26 | expected := lint.Pass 27 | out := test.TestLint("w_name_constraint_on_edi_party_name", inputPath) 28 | if out.Status != expected { 29 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 30 | } 31 | } 32 | 33 | func TestNcEDI(t *testing.T) { 34 | inputPath := "ncOnEDI.pem" 35 | expected := lint.Warn 36 | out := test.TestLint("w_name_constraint_on_edi_party_name", inputPath) 37 | if out.Status != expected { 38 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /v3/lints/rfc/lint_name_constraint_on_registered_id_test.go: -------------------------------------------------------------------------------- 1 | package rfc 2 | 3 | /* 4 | * ZLint Copyright 2024 Regents of the University of Michigan 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); you may not 7 | * use this file except in compliance with the License. You may obtain a copy 8 | * of the License at http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 13 | * implied. See the License for the specific language governing 14 | * permissions and limitations under the License. 15 | */ 16 | 17 | import ( 18 | "testing" 19 | 20 | "github.com/zmap/zlint/v3/lint" 21 | "github.com/zmap/zlint/v3/test" 22 | ) 23 | 24 | func TestNcNoRegId(t *testing.T) { 25 | inputPath := "ncMinZero.pem" 26 | expected := lint.Pass 27 | out := test.TestLint("w_name_constraint_on_registered_id", inputPath) 28 | if out.Status != expected { 29 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 30 | } 31 | } 32 | 33 | func TestNcRegId(t *testing.T) { 34 | inputPath := "ncOnRegId.pem" 35 | expected := lint.Warn 36 | out := test.TestLint("w_name_constraint_on_registered_id", inputPath) 37 | if out.Status != expected { 38 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /v3/lints/rfc/lint_name_constraint_on_x400_test.go: -------------------------------------------------------------------------------- 1 | package rfc 2 | 3 | /* 4 | * ZLint Copyright 2024 Regents of the University of Michigan 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); you may not 7 | * use this file except in compliance with the License. You may obtain a copy 8 | * of the License at http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 13 | * implied. See the License for the specific language governing 14 | * permissions and limitations under the License. 15 | */ 16 | 17 | import ( 18 | "testing" 19 | 20 | "github.com/zmap/zlint/v3/lint" 21 | "github.com/zmap/zlint/v3/test" 22 | ) 23 | 24 | func TestNcNoX400(t *testing.T) { 25 | inputPath := "ncMinZero.pem" 26 | expected := lint.Pass 27 | out := test.TestLint("w_name_constraint_on_x400", inputPath) 28 | if out.Status != expected { 29 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 30 | } 31 | } 32 | 33 | func TestNcX400(t *testing.T) { 34 | inputPath := "ncOnX400.pem" 35 | expected := lint.Warn 36 | out := test.TestLint("w_name_constraint_on_x400", inputPath) 37 | if out.Status != expected { 38 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /v3/lints/rfc/lint_serial_number_longer_than_20_octets_test.go: -------------------------------------------------------------------------------- 1 | package rfc 2 | 3 | /* 4 | * ZLint Copyright 2024 Regents of the University of Michigan 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); you may not 7 | * use this file except in compliance with the License. You may obtain a copy 8 | * of the License at http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 13 | * implied. See the License for the specific language governing 14 | * permissions and limitations under the License. 15 | */ 16 | 17 | import ( 18 | "testing" 19 | 20 | "github.com/zmap/zlint/v3/test" 21 | 22 | "github.com/zmap/zlint/v3/lint" 23 | ) 24 | 25 | type testData struct { 26 | file string 27 | want lint.LintStatus 28 | } 29 | 30 | var tests = []testData{ 31 | {"serialNumberLarge.pem", lint.Error}, 32 | {"serialNumberValid.pem", lint.Pass}, 33 | {"serialNumberLargeDueToSignedMSB.pem", lint.Error}, 34 | } 35 | 36 | func TestSNSizeLimit(t *testing.T) { 37 | for _, data := range tests { 38 | got := test.TestLint("e_serial_number_longer_than_20_octets", data.file).Status 39 | if got != data.want { 40 | t.Errorf("%s: expected %s, got %s", data.file, data.want, got) 41 | } 42 | } 43 | } 44 | -------------------------------------------------------------------------------- /v3/lints/rfc/lint_subject_email_max_length_test.go: -------------------------------------------------------------------------------- 1 | package rfc 2 | 3 | /* 4 | * ZLint Copyright 2024 Regents of the University of Michigan 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); you may not 7 | * use this file except in compliance with the License. You may obtain a copy 8 | * of the License at http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 13 | * implied. See the License for the specific language governing 14 | * permissions and limitations under the License. 15 | */ 16 | 17 | import ( 18 | "testing" 19 | 20 | "github.com/zmap/zlint/v3/lint" 21 | "github.com/zmap/zlint/v3/test" 22 | ) 23 | 24 | func TestSubjectEmailLengthOK(t *testing.T) { 25 | inputPath := "subjectEmailPresent.pem" 26 | expected := lint.Pass 27 | out := test.TestLint("e_subject_email_max_length", inputPath) 28 | if out.Status != expected { 29 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 30 | } 31 | } 32 | 33 | func TestSubjectEmailTooLong(t *testing.T) { 34 | inputPath := "SubjectEmailToolLong.pem" 35 | expected := lint.Error 36 | out := test.TestLint("e_subject_email_max_length", inputPath) 37 | if out.Status != expected { 38 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /v3/lints/rfc/lint_subject_empty_without_san_test.go: -------------------------------------------------------------------------------- 1 | package rfc 2 | 3 | /* 4 | * ZLint Copyright 2024 Regents of the University of Michigan 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); you may not 7 | * use this file except in compliance with the License. You may obtain a copy 8 | * of the License at http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 13 | * implied. See the License for the specific language governing 14 | * permissions and limitations under the License. 15 | */ 16 | 17 | import ( 18 | "testing" 19 | 20 | "github.com/zmap/zlint/v3/lint" 21 | "github.com/zmap/zlint/v3/test" 22 | ) 23 | 24 | func TestSubEmptyNoSAN(t *testing.T) { 25 | inputPath := "subjectEmptyNoSAN.pem" 26 | expected := lint.Error 27 | out := test.TestLint("e_subject_empty_without_san", inputPath) 28 | if out.Status != expected { 29 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 30 | } 31 | } 32 | 33 | func TestSubEmptyYesSAN(t *testing.T) { 34 | inputPath := "SANSubjectEmptyNotCritical.pem" 35 | expected := lint.Pass 36 | out := test.TestLint("e_subject_empty_without_san", inputPath) 37 | if out.Status != expected { 38 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /v3/lints/rfc/lint_subject_given_name_max_length_test.go: -------------------------------------------------------------------------------- 1 | package rfc 2 | 3 | /* 4 | * ZLint Copyright 2024 Regents of the University of Michigan 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); you may not 7 | * use this file except in compliance with the License. You may obtain a copy 8 | * of the License at http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 13 | * implied. See the License for the specific language governing 14 | * permissions and limitations under the License. 15 | */ 16 | 17 | import ( 18 | "testing" 19 | 20 | "github.com/zmap/zlint/v3/test" 21 | 22 | "github.com/zmap/zlint/v3/lint" 23 | ) 24 | 25 | func TestSubjectGivenNameMaxLength(t *testing.T) { 26 | data := []struct { 27 | input string 28 | want lint.LintStatus 29 | }{ 30 | {"givenNameUnder64.pem", lint.Pass}, 31 | {"givenNameOver32768.pem", lint.Error}, 32 | } 33 | for _, d := range data { 34 | input := d.input 35 | want := d.want 36 | t.Run(input, func(t *testing.T) { 37 | got := test.TestLint("e_subject_given_name_max_length", input).Status 38 | if want != got { 39 | t.Errorf("%s: expected %s, got %s", input, want, got) 40 | } 41 | }) 42 | } 43 | } 44 | -------------------------------------------------------------------------------- /v3/lints/rfc/lint_subject_given_name_recommended_max_length_test.go: -------------------------------------------------------------------------------- 1 | package rfc 2 | 3 | /* 4 | * ZLint Copyright 2024 Regents of the University of Michigan 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); you may not 7 | * use this file except in compliance with the License. You may obtain a copy 8 | * of the License at http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 13 | * implied. See the License for the specific language governing 14 | * permissions and limitations under the License. 15 | */ 16 | 17 | import ( 18 | "testing" 19 | 20 | "github.com/zmap/zlint/v3/test" 21 | 22 | "github.com/zmap/zlint/v3/lint" 23 | ) 24 | 25 | func TestSubjectGivenNameRecommendedMaxLength(t *testing.T) { 26 | data := []struct { 27 | input string 28 | want lint.LintStatus 29 | }{ 30 | {"givenNameUnder64.pem", lint.Pass}, 31 | {"givenNameOver64.pem", lint.Warn}, 32 | } 33 | for _, d := range data { 34 | input := d.input 35 | want := d.want 36 | t.Run(input, func(t *testing.T) { 37 | got := test.TestLint("w_subject_given_name_recommended_max_length", input).Status 38 | if want != got { 39 | t.Errorf("%s: expected %s, got %s", input, want, got) 40 | } 41 | }) 42 | } 43 | } 44 | -------------------------------------------------------------------------------- /v3/lints/rfc/lint_subject_info_access_marked_critical_test.go: -------------------------------------------------------------------------------- 1 | package rfc 2 | 3 | /* 4 | * ZLint Copyright 2024 Regents of the University of Michigan 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); you may not 7 | * use this file except in compliance with the License. You may obtain a copy 8 | * of the License at http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 13 | * implied. See the License for the specific language governing 14 | * permissions and limitations under the License. 15 | */ 16 | 17 | import ( 18 | "testing" 19 | 20 | "github.com/zmap/zlint/v3/lint" 21 | "github.com/zmap/zlint/v3/test" 22 | ) 23 | 24 | func TestSiaCrit(t *testing.T) { 25 | inputPath := "siaCrit.pem" 26 | expected := lint.Error 27 | out := test.TestLint("e_subject_info_access_marked_critical", inputPath) 28 | if out.Status != expected { 29 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 30 | } 31 | } 32 | 33 | func TestSiaNotCrit(t *testing.T) { 34 | inputPath := "siaNotCrit.pem" 35 | expected := lint.Pass 36 | out := test.TestLint("e_subject_info_access_marked_critical", inputPath) 37 | if out.Status != expected { 38 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /v3/lints/rfc/lint_subject_surname_max_length_test.go: -------------------------------------------------------------------------------- 1 | package rfc 2 | 3 | /* 4 | * ZLint Copyright 2024 Regents of the University of Michigan 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); you may not 7 | * use this file except in compliance with the License. You may obtain a copy 8 | * of the License at http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 13 | * implied. See the License for the specific language governing 14 | * permissions and limitations under the License. 15 | */ 16 | 17 | import ( 18 | "testing" 19 | 20 | "github.com/zmap/zlint/v3/lint" 21 | "github.com/zmap/zlint/v3/test" 22 | ) 23 | 24 | func TestSubjectSurnameMaxLength(t *testing.T) { 25 | data := []struct { 26 | input string 27 | want lint.LintStatus 28 | }{ 29 | {"surnameUnder64.pem", lint.Pass}, 30 | {"surnameOver32768.pem", lint.Error}, 31 | } 32 | for _, d := range data { 33 | input := d.input 34 | want := d.want 35 | t.Run(input, func(t *testing.T) { 36 | got := test.TestLint("e_subject_surname_max_length", input).Status 37 | if want != got { 38 | t.Errorf("%s: expected %s, got %s", input, want, got) 39 | } 40 | }) 41 | } 42 | } 43 | -------------------------------------------------------------------------------- /v3/lints/rfc/lint_subject_surname_recommended_max_length_test.go: -------------------------------------------------------------------------------- 1 | package rfc 2 | 3 | /* 4 | * ZLint Copyright 2024 Regents of the University of Michigan 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); you may not 7 | * use this file except in compliance with the License. You may obtain a copy 8 | * of the License at http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 13 | * implied. See the License for the specific language governing 14 | * permissions and limitations under the License. 15 | */ 16 | 17 | import ( 18 | "testing" 19 | 20 | "github.com/zmap/zlint/v3/lint" 21 | "github.com/zmap/zlint/v3/test" 22 | ) 23 | 24 | func TestSubjectSurnameRecommendedMaxLength(t *testing.T) { 25 | data := []struct { 26 | input string 27 | want lint.LintStatus 28 | }{ 29 | {"surnameUnder64.pem", lint.Pass}, 30 | {"surnameOver64.pem", lint.Warn}, 31 | } 32 | for _, d := range data { 33 | input := d.input 34 | want := d.want 35 | t.Run(input, func(t *testing.T) { 36 | got := test.TestLint("w_subject_surname_recommended_max_length", input).Status 37 | if want != got { 38 | t.Errorf("%s: expected %s, got %s", input, want, got) 39 | } 40 | }) 41 | } 42 | } 43 | -------------------------------------------------------------------------------- /v3/lints/rfc/lint_tbs_signature_rsa_encryption_parameter_not_null_test.go: -------------------------------------------------------------------------------- 1 | package rfc 2 | 3 | import ( 4 | "testing" 5 | 6 | "github.com/zmap/zlint/v3/lint" 7 | "github.com/zmap/zlint/v3/test" 8 | ) 9 | 10 | func TestSigRSAAlgIDNullParams(t *testing.T) { 11 | 12 | testCases := []struct { 13 | name string 14 | filepath string 15 | expectedStatus lint.LintStatus 16 | details string 17 | }{ 18 | { 19 | name: "pass cert with NULL params", 20 | filepath: "rsawithsha1after2016.pem", 21 | expectedStatus: lint.Pass, 22 | }, 23 | { 24 | name: "error cert with missing NULL params", 25 | filepath: "rsaSigAlgoNoNULLParam.pem", 26 | expectedStatus: lint.Error, 27 | details: "certificate tbsCertificate.signature RSA algorithm identifier missing required NULL parameter", 28 | }, 29 | } 30 | 31 | for _, tc := range testCases { 32 | t.Run(tc.name, func(t *testing.T) { 33 | result := test.TestLint("e_tbs_signature_rsa_encryption_parameter_not_null", tc.filepath) 34 | if result.Status != tc.expectedStatus { 35 | t.Errorf("expected result %v was %v", tc.expectedStatus, result.Status) 36 | } 37 | 38 | if result.Details != tc.details { 39 | t.Errorf("expected error details %q was %q", tc.details, result.Details) 40 | } 41 | }) 42 | } 43 | } 44 | -------------------------------------------------------------------------------- /v3/lints/rfc/lint_utc_time_does_not_include_seconds_test.go: -------------------------------------------------------------------------------- 1 | package rfc 2 | 3 | /* 4 | * ZLint Copyright 2024 Regents of the University of Michigan 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); you may not 7 | * use this file except in compliance with the License. You may obtain a copy 8 | * of the License at http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 13 | * implied. See the License for the specific language governing 14 | * permissions and limitations under the License. 15 | */ 16 | 17 | import ( 18 | "testing" 19 | 20 | "github.com/zmap/zlint/v3/lint" 21 | "github.com/zmap/zlint/v3/test" 22 | ) 23 | 24 | func TestUtcHasSeconds(t *testing.T) { 25 | inputPath := "utcHasSeconds.pem" 26 | expected := lint.Pass 27 | out := test.TestLint("e_utc_time_does_not_include_seconds", inputPath) 28 | if out.Status != expected { 29 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 30 | } 31 | } 32 | 33 | func TestUtcNoSeconds(t *testing.T) { 34 | inputPath := "utcNoSeconds.pem" 35 | expected := lint.Error 36 | out := test.TestLint("e_utc_time_does_not_include_seconds", inputPath) 37 | if out.Status != expected { 38 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /v3/lints/rfc/lint_utc_time_not_in_zulu_test.go: -------------------------------------------------------------------------------- 1 | package rfc 2 | 3 | /* 4 | * ZLint Copyright 2024 Regents of the University of Michigan 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); you may not 7 | * use this file except in compliance with the License. You may obtain a copy 8 | * of the License at http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 13 | * implied. See the License for the specific language governing 14 | * permissions and limitations under the License. 15 | */ 16 | 17 | import ( 18 | "testing" 19 | 20 | "github.com/zmap/zlint/v3/lint" 21 | "github.com/zmap/zlint/v3/test" 22 | ) 23 | 24 | func TestUtcZulu(t *testing.T) { 25 | inputPath := "utcHasSeconds.pem" 26 | expected := lint.Pass 27 | out := test.TestLint("e_utc_time_not_in_zulu", inputPath) 28 | if out.Status != expected { 29 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 30 | } 31 | } 32 | 33 | func TestUtcNotZulu(t *testing.T) { 34 | inputPath := "utcNotZulu.pem" 35 | expected := lint.Error 36 | out := test.TestLint("e_utc_time_not_in_zulu", inputPath) 37 | if out.Status != expected { 38 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /v3/newProfile.sh: -------------------------------------------------------------------------------- 1 | # Script to create new profile from template 2 | 3 | USAGE="Usage: $0 4 | 5 | ARG1: file_name" 6 | 7 | if [ $# -eq 0 ]; then 8 | echo "No arguments provided..." 9 | echo "$USAGE" 10 | exit 1 11 | fi 12 | 13 | if [ ! -d profiles ] 14 | then 15 | echo "Directory 'profiles' does not exist. Can't make new file." 16 | exit 1 17 | fi 18 | 19 | 20 | if [ -e profiles/profile_$1.go ] 21 | then 22 | echo "File already exists. Can't make new file." 23 | exit 1 24 | fi 25 | 26 | PROFILE=$1 27 | 28 | sed -e "s/PROFILE/${PROFILE}/" profileTemplate > profiles/profile_${PROFILE}.go 29 | 30 | echo "Created file profiles/lint_${PROFILE}.go" 31 | -------------------------------------------------------------------------------- /v3/profileTemplate: -------------------------------------------------------------------------------- 1 | /* 2 | * ZLint Copyright 2024 Regents of the University of Michigan 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); you may not 5 | * use this file except in compliance with the License. You may obtain a copy 6 | * of the License at http://www.apache.org/licenses/LICENSE-2.0 7 | * 8 | * Unless required by applicable law or agreed to in writing, software 9 | * distributed under the License is distributed on an "AS IS" BASIS, 10 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 11 | * implied. See the License for the specific language governing 12 | * permissions and limitations under the License. 13 | */ 14 | 15 | package profiles 16 | 17 | import "github.com/zmap/zlint/v3/lint" 18 | 19 | func init() { 20 | lint.RegisterProfile(lint.Profile{ 21 | Name: "PROFILE", 22 | Description: "Fill this in...", 23 | Citation: "Fill this in...", 24 | Source: lint.UnknownLintSource, 25 | LintNames: []string{}, 26 | }) 27 | } 28 | -------------------------------------------------------------------------------- /v3/profiles/todo.go: -------------------------------------------------------------------------------- 1 | package profiles 2 | 3 | // This file exists purely to avoid the following error until we have at least one profile 4 | // 5 | // no non-test Go files in /home/runner/work/zlint/zlint/v3/profiles 6 | -------------------------------------------------------------------------------- /v3/test/prepend_testcerts_openssl.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -e -o pipefail 4 | 5 | BASE_DIR=$(dirname "$0") 6 | CERTS_DIR="$BASE_DIR/../testdata" 7 | TMP_DIR=$(mktemp -d -t zlint-XXXX) 8 | 9 | # Trap EXIT to cleanup the TMP_DIR 10 | trap '{ rmdir --ignore-fail-on-non-empty $TMP_DIR; }' EXIT 11 | 12 | # For every .pem file in the $CERTS directory, prepend 0penSSL text output if 13 | # required. 14 | for f in "$CERTS_DIR"/*.pem; do 15 | # Skip any files that don't begin with a PEM header. These are assumed to 16 | # already have the OpenSSL text output prepended. 17 | if [[ ! $(head -n1 "$f") =~ "-----BEGIN" ]]; then 18 | continue 19 | fi 20 | 21 | # If an argument is provided only consider filenames that match the provided 22 | # argument. This allows only prepending a specific testcert instead of all 23 | # unprepended testcerts. 24 | CERT_NAME=$(basename "$f") 25 | if [[ -n "$1" && ! $CERT_NAME =~ $1 ]]; then 26 | continue 27 | fi 28 | 29 | # If the certificate has errors parsing with OpenSSL print a warning to stderr 30 | # and continue. Sometimes our test data is too weird to parse and that's OK. 31 | if ! openssl x509 -in "$f" -noout || false; then 32 | echo "error parsing $f with OpenSSL" >&2 33 | continue 34 | fi 35 | 36 | # Prepend the test cert with its -text OpenSSL output. 37 | openssl x509 -text -in "$f" -outform PEM -out "$TMP_DIR/$CERT_NAME.new" \ 38 | && mv "$TMP_DIR/$CERT_NAME.new" "$f" 39 | done 40 | -------------------------------------------------------------------------------- /v3/test_template: -------------------------------------------------------------------------------- 1 | /* 2 | * ZLint Copyright 2024 Regents of the University of Michigan 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); you may not 5 | * use this file except in compliance with the License. You may obtain a copy 6 | * of the License at http://www.apache.org/licenses/LICENSE-2.0 7 | * 8 | * Unless required by applicable law or agreed to in writing, software 9 | * distributed under the License is distributed on an "AS IS" BASIS, 10 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 11 | * implied. See the License for the specific language governing 12 | * permissions and limitations under the License. 13 | */ 14 | 15 | package PACKAGE 16 | 17 | import ( 18 | "testing" 19 | 20 | "github.com/zmap/zlint/v3/lint" 21 | "github.com/zmap/zlint/v3/test" 22 | ) 23 | 24 | func TestPASCAL_CASE_SUBST(t *testing.T) { 25 | inputPath := "TEST_CERT.pem" 26 | expected := lint.Error 27 | out := test.TestLint("LINT_NAME", inputPath) 28 | if out.Status != expected { 29 | t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) 30 | } 31 | } 32 | -------------------------------------------------------------------------------- /v3/testdata/IANDNSNotIA5String.pem: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zmap/zlint/8696d6cdc9d509d22e455b82fc5a794d67d65a36/v3/testdata/IANDNSNotIA5String.pem -------------------------------------------------------------------------------- /v3/testdata/IANURINotIA5String.pem: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zmap/zlint/8696d6cdc9d509d22e455b82fc5a794d67d65a36/v3/testdata/IANURINotIA5String.pem -------------------------------------------------------------------------------- /v3/testdata/SANDNSNotIA5String.pem: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zmap/zlint/8696d6cdc9d509d22e455b82fc5a794d67d65a36/v3/testdata/SANDNSNotIA5String.pem -------------------------------------------------------------------------------- /v3/testdata/SANEmptyName.pem: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zmap/zlint/8696d6cdc9d509d22e455b82fc5a794d67d65a36/v3/testdata/SANEmptyName.pem -------------------------------------------------------------------------------- /v3/testdata/aiaCrit.pem: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zmap/zlint/8696d6cdc9d509d22e455b82fc5a794d67d65a36/v3/testdata/aiaCrit.pem -------------------------------------------------------------------------------- /v3/testdata/caMaxPathLenMissing.pem: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zmap/zlint/8696d6cdc9d509d22e455b82fc5a794d67d65a36/v3/testdata/caMaxPathLenMissing.pem -------------------------------------------------------------------------------- /v3/testdata/caMaxPathLenPositive.pem: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zmap/zlint/8696d6cdc9d509d22e455b82fc5a794d67d65a36/v3/testdata/caMaxPathLenPositive.pem -------------------------------------------------------------------------------- /v3/testdata/caMaxPathLenPresentNoCertSign.pem: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zmap/zlint/8696d6cdc9d509d22e455b82fc5a794d67d65a36/v3/testdata/caMaxPathLenPresentNoCertSign.pem -------------------------------------------------------------------------------- /v3/testdata/caMaxPathNegative.pem: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zmap/zlint/8696d6cdc9d509d22e455b82fc5a794d67d65a36/v3/testdata/caMaxPathNegative.pem -------------------------------------------------------------------------------- /v3/testdata/code_signing/codeSigningWithECDSAKey.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIC6jCCApCgAwIBAgIBATAKBggqhkjOPQQDAjBMMRswGQYDVQQDExJPViBDb2Rl 3 | IFNpZ25pbmcgQ0ExCzAJBgNVBAsTAkNBMRMwEQYDVQQKEwpFeGFtcGxlIENvMQsw 4 | CQYDVQQGEwJVUzAeFw0yNDA3MDYwMzM2MTFaFw0yNTA3MDYwMzM2MTFaMIGYMRMw 5 | EQYDVQQDEwpFeGFtcGxlIENvMRMwEQYDVQQKEwpFeGFtcGxlIENvMRYwFAYDVQQH 6 | Ew1Nb3VudGFpbiBWaWV3MRMwEQYDVQQIEwpDYWxpZm9ybmlhMQswCQYDVQQGEwJV 7 | UzETMBEGCysGAQQBgjc8AgEDEwJVUzEdMBsGA1UEDxMUUHJpdmF0ZSBPcmdhbml6 8 | YXRpb24wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATygqNfraSNicrB7ZBvbdiD 9 | xrcltb8PWCcFWeNb6exDv1Rdg2wPrXWx93ZAScbSlCBxGJPw9QjTLthlg57P/5hT 10 | o4IBFDCCARAwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMAwG 11 | A1UdEwEB/wQCMAAwEAYDVR0jBAkwB4AFAQIDBAUwWwYIKwYBBQUHAQEETzBNMCMG 12 | CCsGAQUFBzABhhdodHRwOi8vb2NzcC5leGFtcGxlLmNvbTAmBggrBgEFBQcwAoYa 13 | aHR0cDovL2V4YW1wbGUuY29tL2NhMS5jcnQwEwYDVR0gBAwwCjAIBgZngQwBBAEw 14 | VwYDVR0fBFAwTjAloCOgIYYfaHR0cDovL2NybDEuZXhhbXBsZS5jb20vY2ExLmNy 15 | bDAloCOgIYYfaHR0cDovL2NybDIuZXhhbXBsZS5jb20vY2ExLmNybDAKBggqhkjO 16 | PQQDAgNIADBFAiAttu5xMOUBVZ3mdxSNJESLrFqXfC+xuif8v8uM6YTlTwIhAJ5t 17 | mocjjb81xfhnVri8aXFBLMfVQ8QEpAwl1H1D+Z21 18 | -----END CERTIFICATE----- -------------------------------------------------------------------------------- /v3/testdata/commonNameInSAN.pem: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zmap/zlint/8696d6cdc9d509d22e455b82fc5a794d67d65a36/v3/testdata/commonNameInSAN.pem -------------------------------------------------------------------------------- /v3/testdata/crlComlepteDp.pem: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zmap/zlint/8696d6cdc9d509d22e455b82fc5a794d67d65a36/v3/testdata/crlComlepteDp.pem -------------------------------------------------------------------------------- /v3/testdata/crlEmpty.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN X509 CRL----- 2 | MIIBEjCBuQIBATAKBggqhkjOPQQDAjAAFw0yMzA1MDkxNzU0NTVaoIGWMIGTMIGE 3 | BgNVHSMEfTB7gHkwdwIBAQQg4sC166JaXHUVDRXXFc7ZyoZmSghHDWoVUBz6L1xp 4 | rv+gCgYIKoZIzj0DAQehRANCAATfDbtdhRX3RnNa5dhfkMOKzkT0AmHwn2w6bLex 5 | KG8GNbwnBEYWQU7fYTU8vjd6UsrmF/SWXWNe8tAVjdE1kB0HMAoGA1UdFAQDAgEC 6 | MAoGCCqGSM49BAMCA0gAMEUCIAvuaPf4KZ3Ukw+R1InKWoj+i8HvAy29S2lHRDGs 7 | rTQxAiEA4zJSU0qGeWvpsa/JMvWpaYLDsOqMN77Zk0qWAOTlH/c= 8 | -----END X509 CRL----- 9 | -------------------------------------------------------------------------------- /v3/testdata/crlEntrustNoRevokedCerts01.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN X509 CRL----- 2 | MIICGTCCAQECAQEwDQYJKoZIhvcNAQELBQAwgYAxMDAuBgNVBAMMJ0VudHJ1c3Qg 3 | Q2VydGlmaWNhdGlvbiBBdXRob3JpdHkgLSBRVFNQMTEYMBYGA1UEYQwPVkFURVMt 4 | QjgxMTg4MDQ3MSUwIwYDVQQKDBxFbnRydXN0IERhdGFjYXJkIEV1cm9wZSBTLkwu 5 | MQswCQYDVQQGEwJFUxcNMjQwNDA0MDUyMTE0WhcNMjQwNDExMDUyMTEzWjAAoEow 6 | SDAfBgNVHSMEGDAWgBQcrT+c1y0iGaGcS+na8Soz9/u6DTALBgNVHRQEBAICDxsw 7 | GAYDVR08BBEYDzIwMjQwNDAyMDUyMTE0WjANBgkqhkiG9w0BAQsFAAOCAQEASWnR 8 | tZt0Hvn4jVsYmtQ8QTxnN8GK2QFqlm4Y0jQHFKE4ONHYqQ2/QaV1fVVc8TGX6apk 9 | CdyDjLlVW7eQsta4p45Sgu8lvORtf/i1NEkO3ZcxerFmLAsOkFRwd9p/KjsDwM44 10 | q1dX9o1SNqXxUcC0skyOx+1mze6c/hKN/A7Nb8uwbwcsF36TYYN5zwqN4onbWo83 11 | fBs3MG48yj6FwqH3Jq+LBT2LDuOg7Ut47qsPlry4QdQI7K5L9Zyjc4Hg3//Bp6rv 12 | vFyNWs1dtMg05H7nryguyQ52mJ4JjBYzWhnazZYb2vkGdM9GilnOTeoOwEWLS5zd 13 | ivQAcDeOyqsA4TdEhg== 14 | -----END X509 CRL----- 15 | -------------------------------------------------------------------------------- /v3/testdata/crlEntrustNoRevokedCerts02.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN X509 CRL----- 2 | MIIB6DCB0QIBATANBgkqhkiG9w0BAQsFADBRMTAwLgYDVQQDDCdTaWVtZW5zIElz 3 | c3VpbmcgQ0EgSW50ZXJuZXQgU2VydmVyIDIwMjAxEDAOBgNVBAoMB1NpZW1lbnMx 4 | CzAJBgNVBAYTAkRFFw0yNDA0MDQwNjU5MTRaFw0yNDA0MTEwNjU5MTNaMACgSjBI 5 | MB8GA1UdIwQYMBaAFMmnV8uGyWEHxsK0hmWpHsHK4QKbMAsGA1UdFAQEAgIKazAY 6 | BgNVHTwEERgPMjAyNDA0MDIwNjU5MTRaMA0GCSqGSIb3DQEBCwUAA4IBAQCLI/au 7 | Ypv+dVoPAsyF5+iQ6mKugBah8qle8umSFbH42H+ngVwRyYzyOo4IGvi3FAHD8dXR 8 | 0E0GuH47zLIhU2GUqku0O699UA/qoLngTG13DVYqOIDWIW+fQduXKezMVc26rtjH 9 | 3U0OjYxHaUlcsix7e0BjRzeh+ubU3jPQMHKatJabImCkZeG7xPnhq6i1Hfb+4b3F 10 | RA2nUA+IT3VQs/2tAoGcbqOgviS0AzaRgs2WUYm1PDm8YsML9Gt0d2LBe2o2Ov6n 11 | V5iXcKbtTzy+aq5ac7o9pwkuYLBnCELurMdTjUg0HpTRJMJm+lR2G+zmVhTO4azs 12 | 7n9Pv3Y7qkCujQ3j 13 | -----END X509 CRL----- 14 | -------------------------------------------------------------------------------- /v3/testdata/crlHasNextUpdate.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN X509 CRL----- 2 | MIIBnjCBhwIBATANBgkqhkiG9w0BAQsFADAYMRYwFAYDVQQDEw1BbWlyIHdhcyBI 3 | ZXJlFw0yMzAzMTMwNTUyNTVaFw0yMzAzMTQwNTUyNTVaoDswOTArBgNVHSMEJDAi 4 | gCAywvCJz28KsE/6Wf9E1nuiihBFWlUyq7X/RDgn5SllIDAKBgNVHRQEAwIBATAN 5 | BgkqhkiG9w0BAQsFAAOCAQEAakioBhLs31svWHGmolDhUg6O1daN6zXSAz/avgzl 6 | 38aTKfRSNQ+vM7qgrvCoRojnamziJgXe1hz+/dc8H0/+WEBwVgp1rBzr8f25dSZC 7 | lXBHT1cNI5RL+wU0pFMouUiwWqwUg8o9iGYkqvhuko4AQIcpAoBuf0OggjCuj48r 8 | FX7UN7Kz4pc/4ufengKGkf7EeEQffY3zlS0DAtWv+exoQ6Dt+otDr0PbINJZg+46 9 | TJ/+0w6RsLGoe4Sh/PYPfaCngMyezENUgJgR1+vF6hbVUweeOB+4nFRNxvHMup0G 10 | GEA4yfzQtHWL8rizWUCyuqXEMPZLzyJT0rv5cLgoOvs+8Q== 11 | -----END X509 CRL----- 12 | -------------------------------------------------------------------------------- /v3/testdata/crlIncomlepteDp.pem: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zmap/zlint/8696d6cdc9d509d22e455b82fc5a794d67d65a36/v3/testdata/crlIncomlepteDp.pem -------------------------------------------------------------------------------- /v3/testdata/crlNotHaveNextUpdate.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN X509 CRL----- 2 | MIIBjjB4AgEBMA0GCSqGSIb3DQEBCwUAMBgxFjAUBgNVBAMTDUFtaXIgd2FzIEhl 3 | cmUXDTIzMDMxMzA1NTQwOFqgOzA5MCsGA1UdIwQkMCKAIKiGvOMhlD6FiuwaEDl+ 4 | FxP5fyorz7E9iDke1/q+ngvkMAoGA1UdFAQDAgEBMA0GCSqGSIb3DQEBCwUAA4IB 5 | AQAWq81ZR98KCw3Y3KiH2ShJ+mxlgYO91ovQfzsbCOSHrcV9bnVYG8k3WMWBen/v 6 | LsXiSaVeG+9G1b459KuB6yVv24N0vtpzXOorFR1oi0wPWtYzPhkT+RD2Ov10XO2G 7 | bk3DSwcqcjYqx1Hu1BlHzEyTUvwij6XWUx1uc+olH6scRmycn9yGBMSga/Xgx6g1 8 | 4yM9lzN8lHeN2JLr1vnu///iBwwPvdhPMzUE0n/smH/6bkkZXHM33s0cJ6Wm0bLg 9 | TUg9QKGR2PIehZvJg1vvhpZyIEnpGPp1hN9FsK8eKuMJWEEqP7s5URHaHNYlmagA 10 | ylcX526EcfmL6vqtz5OIsfNC 11 | -----END X509 CRL----- 12 | -------------------------------------------------------------------------------- /v3/testdata/crlReasonCodeCrit.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN X509 CRL----- 2 | MIHfMIGGAgEBMAoGCCqGSM49BAMCMAAXDTI0MDUwNjAzMzU0NVowJzAlAgEDGA8w 3 | MDAxMDEwMTAwMDAwMFowDzANBgNVHRUBAf8EAwoBAKA7MDkwKwYDVR0jBCQwIoAg 4 | B6is8nK0AI9ZyMGgUI2dAkS+NbOYYe92ZoFyaa4dq8MwCgYDVR0UBAMCAQIwCgYI 5 | KoZIzj0EAwIDSAAwRQIhALGfy/9w8vgp3QlkYCtmfqeGtkvftNBhBFPfwqfmURBE 6 | AiAj/DvhTE4C6639BPuwDONrdA7B6yvxddMWKM2rUA/pvw== 7 | -----END X509 CRL----- 8 | -------------------------------------------------------------------------------- /v3/testdata/crlThisUpdate20230505.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN X509 CRL----- 2 | MIHdMIGDAgEBMAoGCCqGSM49BAMCMAAXDTIzMDUwNjAzNDA1NVowJDAiAgEDGA8w 3 | MDAxMDEwMTAwMDAwMFowDDAKBgNVHRUEAwoBBaA7MDkwKwYDVR0jBCQwIoAgSSxH 4 | cv+MyXTPfj99JsIKgswmBf7Xn5pP7Lwiew7Znn8wCgYDVR0UBAMCAQIwCgYIKoZI 5 | zj0EAwIDSQAwRgIhAIRnGCwy6E/9Tg4mdcXzDOw+yToPMTfVVcyg0uHUl4cdAiEA 6 | hvghFGNBRAWWm3acYsb+KBX9wCg3kfWBt6L7JnXovAU= 7 | -----END X509 CRL----- 8 | -------------------------------------------------------------------------------- /v3/testdata/crlWithAuthKeyID.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN X509 CRL----- 2 | MIIBvDCBpQIBATANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDEwdSb290IENBFxEy 3 | NDEwMjgyMzI5MzErMDEwMBcRMjUxMDI4MjMyOTMxKzAxMDAwJjAkAgEBFxEyNDEw 4 | MjgyMzI5MzErMDEwMDAMMAoGA1UdFQQDCgEFoC8wLTAKBgNVHRQEAwIBATAfBgNV 5 | HSMEGDAWgBRUsHutRbjiQH/7Cm77vjPJPKOE1TANBgkqhkiG9w0BAQsFAAOCAQEA 6 | lz8TEEYTSCY633weMHkCMjJZoPgOmM5kIGBMg8Mgl6GNJA3pZYfwUhxpa+eb+M7U 7 | WBo3JtXLWrIsu++YitTw16kLWIsUg2iEtDDZnPVagw+qtrYnifsihF+aSjbOUBQr 8 | oaT5wnPbf3tG5I84TZ5/rTtkG7wtuU7bbSc2GdaG1x33cIG/EXMzgwxNWwoKSo2w 9 | Z2spALtQFyPLTGxf9jhS7mYMDEAxu7njw5/10/BLGOWzmQhlkHaqdeqZqMk/y9gX 10 | 45y0z7F4T7SqpafacQHk4v6TD8vWVtCIU8gp0vNJTkJITZpdjm9IwgHexXsQXXrF 11 | DXk+Gj9jgl9PQefJwSGTSg== 12 | -----END X509 CRL----- 13 | -------------------------------------------------------------------------------- /v3/testdata/crlWithDuplicatesInRevokedCertificateList.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN X509 CRL----- 2 | MIIBBzCBrgIBATAKBggqhkjOPQQDAjASMRAwDgYDVQQDEwdSb290IENBGA8wMDAx 3 | MDEwMTAwMDAwMFowSDAiAgEDGA8wMDAxMDEwMTAwMDAwMFowDDAKBgNVHRUEAwoB 4 | BTAiAgEDGA8wMDAxMDEwMTAwMDAwMFowDDAKBgNVHRUEAwoBBaAuMCwwHgYDVR0j 5 | BBcwFYATcm9vdCBzdWJqZWN0IGtleSBpZDAKBgNVHRQEAwIBATAKBggqhkjOPQQD 6 | AgNIADBFAiEAuKyEUD/rZigP95CfYTTujgc6hpQV5481Y+9N2vt7Y8cCIDSt1fNi 7 | qv6UqrWJlIzWSpJYkm5jZZgf4MqTtHjJ40bM 8 | -----END X509 CRL----- 9 | -------------------------------------------------------------------------------- /v3/testdata/crlWithMissingAuthKeyID.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN X509 CRL----- 2 | MIIBmzCBhAIBATANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDEwdSb290IENBFxEy 3 | NDEwMjgyMzIxMjkrMDEwMBcRMjUxMDI4MjMyMTI5KzAxMDAwJjAkAgEBFxEyNDEw 4 | MjgyMzIxMjkrMDEwMDAMMAoGA1UdFQQDCgEFoA4wDDAKBgNVHRQEAwIBATANBgkq 5 | hkiG9w0BAQsFAAOCAQEACPLUGxlwMl/VViDPl/WXdUmOwemYhjgPsCqiyeh2m5ud 6 | Ewp87b3rWpN/2xcTP6VNEgXDyVulX0OdKBI0t4UwXQoKnsXlIChQ8eJMTxvIDjcZ 7 | hAOhtDjigKAlxQLzHcE/5C+dkZxK4McfwnA8Hd5MfasWqY9e8AWzaW04/V1gXZsT 8 | v+6ivSpA0m1uS/oEhdqKg0x6WYWs8RnzgwMDZeg9UqOKq0J1xqQ96yZF4vfxWqCJ 9 | kXajMAEerkWDK4ymxl6CgfGnAVzxxCtIuWJnto44j6QsOR1WvPSiD9NxGnfvEqPJ 10 | 7pTy0x7sF8IKkTFr4P66pttnrkcDvA+3ot1BbgB3GQ== 11 | -----END X509 CRL----- 12 | -------------------------------------------------------------------------------- /v3/testdata/crlWithNoDuplicatesInRevokedCertificateList.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN X509 CRL----- 2 | MIHYMIGAAgEBMAoGCCqGSM49BAMCMAAYDzAwMDEwMTAxMDAwMDAwWjAkMCICAQMY 3 | DzAwMDEwMTAxMDAwMDAwWjAMMAoGA1UdFQQDCgEFoDYwNDAmBgNVHSMEHzAdgBtp 4 | bnRlcm1lZGlhdGUgc3ViamVjdCBrZXkgaWQwCgYDVR0UBAMCAQEwCgYIKoZIzj0E 5 | AwIDRwAwRAIgKW/t2p4I+U4VJ3Tuo70JGzUY7vgv8BHCCyCnWtuKoiQCID3zPiiV 6 | X2MUcmUEIoNvck0XyDbsxWFaDn76xddAMD/v 7 | -----END X509 CRL----- 8 | -------------------------------------------------------------------------------- /v3/testdata/crlWithReasonCode0.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN X509 CRL----- 2 | MIHcMIGDAgEBMAoGCCqGSM49BAMCMAAXDTI0MDUwNjAzMjgzMFowJDAiAgEDGA8w 3 | MDAxMDEwMTAwMDAwMFowDDAKBgNVHRUEAwoBAKA7MDkwKwYDVR0jBCQwIoAgTNow 4 | i3fmv11CTOp+ECXxItsklofKPiMEhbkF2CDFkDIwCgYDVR0UBAMCAQIwCgYIKoZI 5 | zj0EAwIDSAAwRQIhAP2Wao7WtdGSYVMbTQdPIPFztP7oJvXkNCR45o0Ca19RAiAQ 6 | rLw1aajKw3p4iOXxpdAetbMh7GUvuJjgb8f4PmmS8w== 7 | -----END X509 CRL----- 8 | -------------------------------------------------------------------------------- /v3/testdata/crlWithReasonCode2.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN X509 CRL----- 2 | MIHcMIGDAgEBMAoGCCqGSM49BAMCMAAXDTI0MDUwNjAzMjc0NlowJDAiAgEDGA8w 3 | MDAxMDEwMTAwMDAwMFowDDAKBgNVHRUEAwoBAqA7MDkwKwYDVR0jBCQwIoAgaKfL 4 | ufc1P2u5ckFBzp9JeJi/7SOij/uVWEB04Fq7oJowCgYDVR0UBAMCAQIwCgYIKoZI 5 | zj0EAwIDSAAwRQIgdnoQOfGZ7Hifb6vUwDGmta1Pngz8VlJ39q0Z8uZApWgCIQCO 6 | NcpgZ4xFtRurF6I82LkrCKweIY4jHoYEx97gCUlfrA== 7 | -----END X509 CRL----- 8 | -------------------------------------------------------------------------------- /v3/testdata/crlWithReasonCode5.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN X509 CRL----- 2 | MIHcMIGDAgEBMAoGCCqGSM49BAMCMAAXDTI0MDUwNjAzNDAxNVowJDAiAgEDGA8w 3 | MDAxMDEwMTAwMDAwMFowDDAKBgNVHRUEAwoBBaA7MDkwKwYDVR0jBCQwIoAgLQ5J 4 | FJK78KIMTp4/AXlnjbmnWUp72aRFh6+6++zjF5owCgYDVR0UBAMCAQIwCgYIKoZI 5 | zj0EAwIDSAAwRQIhAJsjck+HO4/ae7S38jyZbE4JA7DfnisEPkePrLIEKoULAiAx 6 | OWdDCTntIZk0dFqZlEtDeEc/5M1bjqQ8S1q4I3jocw== 7 | -----END X509 CRL----- 8 | -------------------------------------------------------------------------------- /v3/testdata/crlWithReasonCode7.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN X509 CRL----- 2 | MIHcMIGDAgEBMAoGCCqGSM49BAMCMAAXDTI0MDUwNjAzNDAyNlowJDAiAgEDGA8w 3 | MDAxMDEwMTAwMDAwMFowDDAKBgNVHRUEAwoBB6A7MDkwKwYDVR0jBCQwIoAgZXC6 4 | GE/pCZGmsIGy7QDB/9zUbZW9YJuDiRJ5C5gG1BIwCgYDVR0UBAMCAQIwCgYIKoZI 5 | zj0EAwIDSAAwRQIga5n/5ccM2/pDJbME1QFzbBQALZ8XveiEn3WLz4T000ICIQCm 6 | f03FTQ8FZrTR9sD+Wr4gEVoNB8FfYEISvG9Maone+Q== 7 | -----END X509 CRL----- 8 | -------------------------------------------------------------------------------- /v3/testdata/crlWithRevokedCertificatesContainerButNoActualRevokedCerts-CBonnell.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN X509 CRL----- 2 | MIIBYDBKAgEBMA0GCSqGSIb3DQEBCwUAMBYxFDASBgNVBAoTC0NlcnRzICdyIFVz 3 | Fw0yNDA0MTUxNDMzMDBaFw0yNDA1MTUxNDMzMDBaMAAwDQYJKoZIhvcNAQELBQAD 4 | ggEBAGhq9yTTM2ZjzAxyNvXpVbOI4xQhC0L6pdjsZ13d3QFi41QvRFib13fHgcBm 5 | +hWXFSmOT8qgMlIk74y01DBCmrVyn6mTznr49Vy9k6eBEs34F9EtQrJ5MlYNghX2 6 | 8UNNTMbQS/T7aYQuVWp4VRZsM2ZFRC1XxDdj85qraRhhc6fDGS3PS6m5vnRuZlVv 7 | 3wVB2N2zutQeZcxHDbAa68rSS3fK8jdKjC8uzbYhCvWYIc/ZUB0c+o9clwbZdkl4 8 | eC6gxZ1/uD98+GilFUdX9JNVsi6Il1x9Upm+Oz6JZ43Ly2+yuQZu2rohZNxEzv/f 9 | rzDRkyHn2a+5mqqc2J9asb6RFUs= 10 | -----END X509 CRL----- 11 | -------------------------------------------------------------------------------- /v3/testdata/crlWithRevokedCertificatesContainerButNoActualRevokedCerts-ReallyReallyBroken.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN X509 CRL----- 2 | MIIBSjA0AgEBMA0GCSqGSIb3DQEBCwUAMAAXDTI0MDQxNTE0MzMwMFoXDTI0MDUx 3 | NTE0MzMwMFowADANBgkqhkiG9w0BAQsFAAOCAQEAaGr3JNMzZmPMDHI29elVs4jj 4 | FCELQvql2OxnXd3dAWLjVC9EWJvXd8eBwGb6FZcVKY5PyqAyUiTvjLTUMEKatXKf 5 | qZPOevj1XL2Tp4ESzfgX0S1CsnkyVg2CFfbxQ01MxtBL9PtphC5VanhVFmwzZkVE 6 | LVfEN2PzmqtpGGFzp8MZLc9Lqbm+dG5mVW/fBUHY3bO61B5lzEcNsBrrytJLd8ry 7 | N0qMLy7NtiEK9Zghz9lQHRz6j1yXBtl2SXh4LqDFnX+4P3z4aKUVR1f0k1WyLoiX 8 | XH1Smb47PolnjcvLb7K5Bm7auiFk3ETO/9+vMNGTIefZr7maqpzYn1qxvpEVSw== 9 | -----END X509 CRL----- 10 | -------------------------------------------------------------------------------- /v3/testdata/crl_missing_crl_number_ko.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN X509 CRL----- 2 | MIIBojCBiwIBATANBgkqhkiG9w0BAQsFADBDMQswCQYDVQQGEwJFVTEQMA4GA1UE 3 | ChMHU29tZSBDQTEiMCAGA1UEAxMZRmFrZSBDQSBmb3IgemxpbnQgdGVzdGluZxcN 4 | MjQwNDE4MDcyMDM0WhcNMjQwNDE5MDcyMDM0WqAUMBIwEAYDVR0jBAkwB4AFAQID 5 | BAUwDQYJKoZIhvcNAQELBQADggEBAItG2rOL7KnlKCOnEwZh1DUMGb1R9MGamQse 6 | Yz+XLuP6MOAVlZno/61Jjea4uKQWSPdTX6jE7BTW67CFFlnFLQLu7PODd6pSvqRo 7 | hvw4LrI5y/+FeIqkwGNxQKyxYUdLfC8ybouKgQF4S0l31oAeW61fQ4QVh2bNU4y7 8 | EdgODmwnsIjhaCOSVh25CnEG4V/XdbZQhQjl/S/C6Emd2tFHjyRdxAk+dEdJhAJV 9 | 4p6PFGXlapyEjb+lTSTy/Tub4hrVEJiQsVgLXSsZRZBBrtRow68SSwCyEzLD6OZt 10 | fjVl4W3Tkio7dudTEHvlLSmoXB7SFVIRZ79KChryyPorrjijRNA= 11 | -----END X509 CRL----- 12 | 13 | -------------------------------------------------------------------------------- /v3/testdata/crl_missing_crl_number_ok.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN X509 CRL----- 2 | MIIBrzCBmAIBATANBgkqhkiG9w0BAQsFADBDMQswCQYDVQQGEwJFVTEQMA4GA1UE 3 | ChMHU29tZSBDQTEiMCAGA1UEAxMZRmFrZSBDQSBmb3IgemxpbnQgdGVzdGluZxcN 4 | MjQwNDE4MDcxOTA5WhcNMjQwNDE5MDcxOTA5WqAhMB8wEAYDVR0jBAkwB4AFAQID 5 | BAUwCwYDVR0UBAQCAhI0MA0GCSqGSIb3DQEBCwUAA4IBAQBKeHtcc4thnELs6EiQ 6 | Cm/BvDmbz6k4F0jBEV/vMbSomp0+lrM8mJDpyos/cU+Ug8EWgS2/789ujm+aHPEJ 7 | 84A66/lmg77/iJZFwTtgOURSBbMmaEeFLpZy1ZJRbGOgn2c1SxHcd7m4Hb1BfTe1 8 | yCFanjwX6aB7RWDXFKlpZ77VGvLTqX36MbEWaiifMdmrH+wQ22njDi9PT0qMScNv 9 | 2vZ4s4f9tjQLxWnr+mqeeZhU4wa0uv98SWzoSzx+0gdLsPeYyw7ethYonPu9kNsM 10 | 6DEBZ6i1QjzilR8aIYKZ3JOB4PY7McMjI9iJIJp71hoXAZsiFbhKeydq+VppBzxf 11 | BquN 12 | -----END X509 CRL----- 13 | 14 | -------------------------------------------------------------------------------- /v3/testdata/emptyPermittedDNSBadExcludedDNS.pem: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zmap/zlint/8696d6cdc9d509d22e455b82fc5a794d67d65a36/v3/testdata/emptyPermittedDNSBadExcludedDNS.pem -------------------------------------------------------------------------------- /v3/testdata/emptyPermittedDNSGoodExcludedDNS.pem: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zmap/zlint/8696d6cdc9d509d22e455b82fc5a794d67d65a36/v3/testdata/emptyPermittedDNSGoodExcludedDNS.pem -------------------------------------------------------------------------------- /v3/testdata/emptyPermittedIPExcludedBoth.pem: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zmap/zlint/8696d6cdc9d509d22e455b82fc5a794d67d65a36/v3/testdata/emptyPermittedIPExcludedBoth.pem -------------------------------------------------------------------------------- /v3/testdata/emptyPermittedIPExcludedIPv4.pem: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zmap/zlint/8696d6cdc9d509d22e455b82fc5a794d67d65a36/v3/testdata/emptyPermittedIPExcludedIPv4.pem -------------------------------------------------------------------------------- /v3/testdata/emptyPermittedIPExcludedIPv6.pem: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zmap/zlint/8696d6cdc9d509d22e455b82fc5a794d67d65a36/v3/testdata/emptyPermittedIPExcludedIPv6.pem -------------------------------------------------------------------------------- /v3/testdata/explicitText200Char.pem: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zmap/zlint/8696d6cdc9d509d22e455b82fc5a794d67d65a36/v3/testdata/explicitText200Char.pem -------------------------------------------------------------------------------- /v3/testdata/frshCRLCritical.pem: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zmap/zlint/8696d6cdc9d509d22e455b82fc5a794d67d65a36/v3/testdata/frshCRLCritical.pem -------------------------------------------------------------------------------- /v3/testdata/frshCRLNotCritical.pem: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zmap/zlint/8696d6cdc9d509d22e455b82fc5a794d67d65a36/v3/testdata/frshCRLNotCritical.pem -------------------------------------------------------------------------------- /v3/testdata/generalizedAfter2050.pem: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zmap/zlint/8696d6cdc9d509d22e455b82fc5a794d67d65a36/v3/testdata/generalizedAfter2050.pem -------------------------------------------------------------------------------- /v3/testdata/generalizedHasSeconds.pem: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zmap/zlint/8696d6cdc9d509d22e455b82fc5a794d67d65a36/v3/testdata/generalizedHasSeconds.pem -------------------------------------------------------------------------------- /v3/testdata/generalizedNoFraction.pem: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zmap/zlint/8696d6cdc9d509d22e455b82fc5a794d67d65a36/v3/testdata/generalizedNoFraction.pem -------------------------------------------------------------------------------- /v3/testdata/generalizedNoSeconds.pem: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zmap/zlint/8696d6cdc9d509d22e455b82fc5a794d67d65a36/v3/testdata/generalizedNoSeconds.pem -------------------------------------------------------------------------------- /v3/testdata/generalizedNotZulu.pem: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zmap/zlint/8696d6cdc9d509d22e455b82fc5a794d67d65a36/v3/testdata/generalizedNotZulu.pem -------------------------------------------------------------------------------- /v3/testdata/generalizedPrior2050.pem: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zmap/zlint/8696d6cdc9d509d22e455b82fc5a794d67d65a36/v3/testdata/generalizedPrior2050.pem -------------------------------------------------------------------------------- /v3/testdata/ncAllPres.pem: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zmap/zlint/8696d6cdc9d509d22e455b82fc5a794d67d65a36/v3/testdata/ncAllPres.pem -------------------------------------------------------------------------------- /v3/testdata/ncEmptyValue.pem: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zmap/zlint/8696d6cdc9d509d22e455b82fc5a794d67d65a36/v3/testdata/ncEmptyValue.pem -------------------------------------------------------------------------------- /v3/testdata/ncMinPres.pem: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zmap/zlint/8696d6cdc9d509d22e455b82fc5a794d67d65a36/v3/testdata/ncMinPres.pem -------------------------------------------------------------------------------- /v3/testdata/ncMinZero.pem: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zmap/zlint/8696d6cdc9d509d22e455b82fc5a794d67d65a36/v3/testdata/ncMinZero.pem -------------------------------------------------------------------------------- /v3/testdata/nonEmptyPermitted.pem: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zmap/zlint/8696d6cdc9d509d22e455b82fc5a794d67d65a36/v3/testdata/nonEmptyPermitted.pem -------------------------------------------------------------------------------- /v3/testdata/nonEmptyPermittedDNS.pem: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zmap/zlint/8696d6cdc9d509d22e455b82fc5a794d67d65a36/v3/testdata/nonEmptyPermittedDNS.pem -------------------------------------------------------------------------------- /v3/testdata/ocspThisUpdateAfterProducedAt: -------------------------------------------------------------------------------- 1 | MIHuCgEAoIHoMIHlBgkrBgEFBQcwAQEEgdcwgdQwe6ECMAAYDzIwMjUwMjA0MTUyODAwWjBkMGIw 2 | OjAJBgUrDgMCGgUABBRDT/Kpele1XpFZGGOVYd+WA/SsxQQUqm/MRGGKLqVE27HcxUnzFM5U6PYC 3 | ASqAABgPMjAyNTAyMDQxNjI4NDVaoBEYDzIwMjUwMjA1MTUyODQ1WjAKBggqhkjOPQQDAgNJADBG 4 | AiEA0rOFxjS0O2ULpOHvz5Jv93PJRl0BDm48wajn6mwq7fQCIQC8kGIKMczLMaFhqdpjMWXMrZDH 5 | 8VEut90a3SQ5EdQOug== -------------------------------------------------------------------------------- /v3/testdata/ocspThisUpdateNotAfterProducedAt: -------------------------------------------------------------------------------- 1 | MIHuCgEAoIHoMIHlBgkrBgEFBQcwAQEEgdcwgdQwe6ECMAAYDzIwMjUwMjA0MTUyNzAwWjBkMGIw 2 | OjAJBgUrDgMCGgUABBRDT/Kpele1XpFZGGOVYd+WA/SsxQQUdsgj8WVbiYiO6ywqW7jfqHcJD3kC 3 | ASqAABgPMjAyNTAyMDQxNDI3MDRaoBEYDzIwMjUwMjA1MTUyNzA0WjAKBggqhkjOPQQDAgNJADBG 4 | AiEAy6Yv3aPSXRZVoymldMckP4yksplvahFh/tCn4gbOGJsCIQCiKLtK0U2RZOXY8B9JG6qjwOsL 5 | 7xHkVgk8n+/zBrTocA== -------------------------------------------------------------------------------- /v3/testdata/policyQualifiersOtherThanCpsNotPermittedError.pem: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zmap/zlint/8696d6cdc9d509d22e455b82fc5a794d67d65a36/v3/testdata/policyQualifiersOtherThanCpsNotPermittedError.pem -------------------------------------------------------------------------------- /v3/testdata/policyQualifiersOtherThanCpsNotPermittedValid.pem: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zmap/zlint/8696d6cdc9d509d22e455b82fc5a794d67d65a36/v3/testdata/policyQualifiersOtherThanCpsNotPermittedValid.pem -------------------------------------------------------------------------------- /v3/testdata/sha1ExpireAfter2017.pem: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zmap/zlint/8696d6cdc9d509d22e455b82fc5a794d67d65a36/v3/testdata/sha1ExpireAfter2017.pem -------------------------------------------------------------------------------- /v3/testdata/sha1ExpirePrior2017.pem: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zmap/zlint/8696d6cdc9d509d22e455b82fc5a794d67d65a36/v3/testdata/sha1ExpirePrior2017.pem -------------------------------------------------------------------------------- /v3/testdata/siaCrit.pem: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zmap/zlint/8696d6cdc9d509d22e455b82fc5a794d67d65a36/v3/testdata/siaCrit.pem -------------------------------------------------------------------------------- /v3/testdata/siaNotCrit.pem: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zmap/zlint/8696d6cdc9d509d22e455b82fc5a794d67d65a36/v3/testdata/siaNotCrit.pem -------------------------------------------------------------------------------- /v3/testdata/subCaCrlMissing.pem: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zmap/zlint/8696d6cdc9d509d22e455b82fc5a794d67d65a36/v3/testdata/subCaCrlMissing.pem -------------------------------------------------------------------------------- /v3/testdata/subCaCrlPresent.pem: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zmap/zlint/8696d6cdc9d509d22e455b82fc5a794d67d65a36/v3/testdata/subCaCrlPresent.pem -------------------------------------------------------------------------------- /v3/testdata/uniqueIdVersion1.pem: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zmap/zlint/8696d6cdc9d509d22e455b82fc5a794d67d65a36/v3/testdata/uniqueIdVersion1.pem -------------------------------------------------------------------------------- /v3/testdata/uniqueIdVersion3.pem: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zmap/zlint/8696d6cdc9d509d22e455b82fc5a794d67d65a36/v3/testdata/uniqueIdVersion3.pem -------------------------------------------------------------------------------- /v3/testdata/userNoticeExpTextNotIA5String.pem: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zmap/zlint/8696d6cdc9d509d22e455b82fc5a794d67d65a36/v3/testdata/userNoticeExpTextNotIA5String.pem -------------------------------------------------------------------------------- /v3/testdata/userNoticeExpTextUtf8.pem: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zmap/zlint/8696d6cdc9d509d22e455b82fc5a794d67d65a36/v3/testdata/userNoticeExpTextUtf8.pem -------------------------------------------------------------------------------- /v3/testdata/userNoticeMissing.pem: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zmap/zlint/8696d6cdc9d509d22e455b82fc5a794d67d65a36/v3/testdata/userNoticeMissing.pem -------------------------------------------------------------------------------- /v3/testdata/userNoticePres.pem: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zmap/zlint/8696d6cdc9d509d22e455b82fc5a794d67d65a36/v3/testdata/userNoticePres.pem -------------------------------------------------------------------------------- /v3/testdata/userNoticeUnrecommended.pem: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zmap/zlint/8696d6cdc9d509d22e455b82fc5a794d67d65a36/v3/testdata/userNoticeUnrecommended.pem -------------------------------------------------------------------------------- /v3/testdata/utcHasSeconds.pem: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zmap/zlint/8696d6cdc9d509d22e455b82fc5a794d67d65a36/v3/testdata/utcHasSeconds.pem -------------------------------------------------------------------------------- /v3/testdata/utcNotZulu.pem: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zmap/zlint/8696d6cdc9d509d22e455b82fc5a794d67d65a36/v3/testdata/utcNotZulu.pem -------------------------------------------------------------------------------- /v3/testdata/utf8ControlX10.pem: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zmap/zlint/8696d6cdc9d509d22e455b82fc5a794d67d65a36/v3/testdata/utf8ControlX10.pem -------------------------------------------------------------------------------- /v3/testdata/utf8ControlX88.pem: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zmap/zlint/8696d6cdc9d509d22e455b82fc5a794d67d65a36/v3/testdata/utf8ControlX88.pem -------------------------------------------------------------------------------- /v3/testdata/utf8NoControl.pem: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zmap/zlint/8696d6cdc9d509d22e455b82fc5a794d67d65a36/v3/testdata/utf8NoControl.pem -------------------------------------------------------------------------------- /v3/util/cs.go: -------------------------------------------------------------------------------- 1 | package util 2 | 3 | import "github.com/zmap/zcrypto/encoding/asn1" 4 | 5 | const ( 6 | evCodeSigningPolicy = "2.23.140.1.3" 7 | codeSigningPolicy = "2.23.140.1.4.1" 8 | ) 9 | 10 | func IsCodeSigning(policies []asn1.ObjectIdentifier) bool { 11 | for _, policy := range policies { 12 | if policy.String() == evCodeSigningPolicy || policy.String() == codeSigningPolicy { 13 | return true 14 | } 15 | } 16 | 17 | return false 18 | } 19 | -------------------------------------------------------------------------------- /v3/util/gtld_test.go: -------------------------------------------------------------------------------- 1 | /* 2 | * ZLint Copyright 2024 Regents of the University of Michigan 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); you may not 5 | * use this file except in compliance with the License. You may obtain a copy 6 | * of the License at http://www.apache.org/licenses/LICENSE-2.0 7 | * 8 | * Unless required by applicable law or agreed to in writing, software 9 | * distributed under the License is distributed on an "AS IS" BASIS, 10 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 11 | * implied. See the License for the specific language governing 12 | * permissions and limitations under the License. 13 | */ 14 | 15 | package util 16 | 17 | import ( 18 | "testing" 19 | "time" 20 | ) 21 | 22 | func TestHasValidTLD(t *testing.T) { 23 | domain := "google.com" 24 | expected := true 25 | actual := HasValidTLD(domain, time.Now()) 26 | if expected != actual { 27 | t.Error( 28 | "For", domain, 29 | "expected", expected, 30 | "got", actual, 31 | ) 32 | } 33 | } 34 | 35 | func TestHasValidTLDUppercaseName(t *testing.T) { 36 | domain := "GOOGLE.COM" 37 | expected := true 38 | actual := HasValidTLD(domain, time.Now()) 39 | if expected != actual { 40 | t.Error( 41 | "For", domain, 42 | "expected", expected, 43 | "got", actual, 44 | ) 45 | } 46 | } 47 | -------------------------------------------------------------------------------- /v3/util/rdn.go: -------------------------------------------------------------------------------- 1 | /* 2 | * ZLint Copyright 2024 Regents of the University of Michigan 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); you may not 5 | * use this file except in compliance with the License. You may obtain a copy 6 | * of the License at http://www.apache.org/licenses/LICENSE-2.0 7 | * 8 | * Unless required by applicable law or agreed to in writing, software 9 | * distributed under the License is distributed on an "AS IS" BASIS, 10 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 11 | * implied. See the License for the specific language governing 12 | * permissions and limitations under the License. 13 | */ 14 | 15 | package util 16 | 17 | import "github.com/zmap/zcrypto/encoding/asn1" 18 | 19 | type AttributeTypeAndRawValue struct { 20 | Type asn1.ObjectIdentifier 21 | Value asn1.RawValue 22 | } 23 | 24 | type AttributeTypeAndRawValueSET []AttributeTypeAndRawValue 25 | 26 | type RawRDNSequence []AttributeTypeAndRawValueSET 27 | -------------------------------------------------------------------------------- /v3/util/san.go: -------------------------------------------------------------------------------- 1 | package util 2 | 3 | import ( 4 | "net/mail" 5 | 6 | "github.com/zmap/zcrypto/x509" 7 | ) 8 | 9 | func HasEmailSAN(c *x509.Certificate) bool { 10 | for _, san := range c.EmailAddresses { 11 | if san != "" { 12 | return true 13 | } 14 | } 15 | 16 | for _, name := range c.OtherNames { 17 | if name.TypeID.Equal(OidIdOnSmtpUtf8Mailbox) && len(name.Value.Bytes) != 0 { 18 | return true 19 | } 20 | } 21 | 22 | return false 23 | } 24 | 25 | // IsMailboxAddress returns true if the passed in string resembles an RFC 5322 26 | // mailbox address. 27 | func IsMailboxAddress(address string) bool { 28 | validAddress, err := mail.ParseAddress(address) 29 | return err == nil && validAddress.Address == address 30 | } 31 | --------------------------------------------------------------------------------